Tonkeeper bug bounty program rewards researchers who identify and responsibly disclose vulnerabilities in our products
1. Report your vulnerability directly to [email protected];
2. Public disclosure nullifies the reward;
3. We do not reward disclosures of already known or previously reported issues;
4. Multiple vulnerabilities caused by one underlying issue will be rewarded once.
Security Bounty rewards are discretionary, based on issue type, access level, and report quality. High-quality reports aid in quick issue resolution and may increase your reward. Awards and categories may change at any time
Reliable loss of funds or confidential data with no or little user interaction.
Example: tricking the wallet to sign a transaction that user did not authorize, or triggering a leak of a secret key.
Limited access to funds or confidential data, not reliable or requiring substantial user interaction.
Example: tricking a user into signing a transaction that misuses funds shown differently from the wallet's confirmation.
Unauthorised access to personal data, loss of personal data, limited loss of funds.
Example: a dApp accesses user data without consent or incurs excessive fees.
Issues that are unique to pre-production builds (including regressions) and releases receive +25% bonus to the reward above.
Issues due to a fault in the host environment (OS, device, browser) generally do not qualify for the reward (e.g. bypassing biometric checks), but we may consider paying out a partial reward in case there exists a reliable workaround that eliminates the vulnerability without substantial change to the intended behaviour.
Issues in third party services are covered by their respective terms of use and related policies and are out of scope of this program.
Rewards are nullified if the researcher conducts brute-force, denial-of-service, or social engineering attacks that lead to service disruption.