Bug Bounty

Tonkeeper bug bounty program rewards researchers who identify and responsibly disclose vulnerabilities in our products

In Telegram

These Tonkeeper Bug Bounty Program Terms and Conditions ("Terms") cover your participation in the Tonkeeper Bug Bounty Program (the "Program"). These Terms are between you and Tonkeeper ("Tonkeeper," "us" or "we"). By submitting any vulnerabilities to Tonkeeper or otherwise participating in the Program in any manner, you accept these Terms.



General Overview


The Program enables users to submit vulnerabilities ("Vulnerabilities") to Tonkeeper about Tonkeeper products and services for a chance to earn rewards in an amount determined by Tonkeeper in its sole discretion ("Bounty").


The decisions made by Tonkeeper regarding Bounties are final and binding. Tonkeeper may change or cancel this Program at any time, for any reason.


The Program does not extend to third-party services embedded into Tonkeeper.



Eligibility


If you are under the age of majority in your jurisdiction of residence, you may participate in the Program only with the consent of or under the supervision of your parent or legal guardian.


NOTICE TO PARENTS AND GUARDIANS: By granting your minor permission to access the Program, you agree to these Terms on behalf of your minor. You are responsible for exercising supervision over your minor’s online activities. If you do not agree to these Terms, do not let your minor participate in the Program.


You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

· You are a resident of any countries under Sanctions or any other country that does not allow participation in this type of program;

· You are currently an employee of Tonkeeper or its affiliate, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;

· Within the six months prior to providing us your Submission you were an Tonkeeper or its affiliate, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee; or

· You currently (or within six months prior providing to us your Submission) perform services for Tonkeeper or its affiliate in an external staff capacity, such as agency temporary worker, vendor employee, business guest, or contractor; or

· Your organization does not allow you to participate in these types of programs.


We reserve the right to immediately remove you from the Program if you violate any of these Terms as determined by us, or if you violate any terms associated with the use of Tonkeeper.


Sanctions” means any economic, financial or trade sanctions or embargoes, export controls or other restrictive measures imposed by the United States of America (including those administered by the United States Department of the Treasury’s Office of Foreign Assets Control), the European Union, any member state of the European Union, the United Kingdom (including those administered by HM Treasury) or the United Nations.



Code of Conduct


The Vulnerabilities shall be submitted in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Program:


You must not:

· interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing, which you must produce upon request;

· intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data;

· exploit a security issue you discover for any reason other than for testing purposes;

· report a vulnerability that another person discovered (including, and especially, someone who does not qualify to participate in the Program); and

· disclose any vulnerabilities, suspected vulnerabilities, or the contents of any Submission you make, to any other person, entity, social media service, news reporting service, media, or any other outlet, without explicit pre-authorization from Tonkeeper; and

· perform any other actions that may cause a negative effect on any Tonkeeper’s infrastructure performance or availability.


These Terms do not provide you authorization to intentionally access Tonkeeper’s data or data from another person's account without their express consent.


If you inadvertently access another person's data or Tonkeeper’s data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or Tonkeeper’s data and notify Tonkeeper what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.



How to report vulnerabilities


If you believe you have identified a Vulnerability that meets the applicable requirements set forth in these Terms, you may make a submission (“Submission”) to Tonkeeper in accordance with the following process:


1. Report your Vulnerability directly to [email protected];

2. Describe the Vulnerability details in the email.


Please note:

1. Any public disclosure nullifies the reward;

2. We may decide not to reward disclosures of issues that are already known or have been previously reported;

3. Multiple vulnerabilities caused by the same underlying issue will be rewarded once.



Reward Payments


Bounties are discretionary, based on issue type, access level, and report quality. High-quality reports aid in quick issue resolution and may increase your reward. Awards and categories may change at any time



Top Category: $ 15 000 – $ 30 000


Reliable loss of funds or confidential data with no or little user interaction.

Example: tricking the wallet to sign a transaction that user did not authorize, or triggering a leak of a secret key.



Medium Category: $ 5 000 – $ 10 000


Limited access to funds or confidential data, not reliable or requiring substantial user interaction.

Example: tricking a user into signing a transaction that misuses funds shown differently from the wallet's confirmation.



Low Category: $ 1 000 – $ 2 000


Unauthorised access to personal data, loss of personal data, limited loss of funds.

Example: a dApp accesses user data without consent or incurs excessive fees.



Other:


In other cases the eligibility and the amount of rewards will be defined at Tonkeeper’s sole discretion.



Beta Software


Issues that are unique to pre-production builds (including regressions) and releases receive +25% bonus to the reward above.



Out of scope


Issues due to a fault in the host environment (OS, device, browser) generally do not qualify for the reward (e.g. bypassing biometric checks), but we may consider paying out a partial reward in case there exists a reliable workaround that eliminates the vulnerability without substantial change to the intended behaviour. Issues in third party services are covered by their respective terms of use and related policies and are out of scope of this program.



Prohibited actions


Rewards are nullified if the researcher conducts brute-force, denial-of-service, or social engineering attacks that lead to service disruption. Additionally, no bounty will be awarded if the reported vulnerability has already been exploited in the wild.



Submission License


Whether or not we grant you a Bounty, you hereby assign to Tonkeeper all rights, titles, and interests (including all intellectual property rights), to the contents of all vulnerability reports that you submit to Tonkeeper.


By participating in the Program, you represent that you have the right to assign all such rights, titles, and interests to us and that your participation in the Program and assignment of such rights, titles, and interests will not breach any agreement you may have with a third party (e.g. your employer).


You represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Tonkeeper.



Confidentiality of Submissions/ Restrictions on Disclosure


We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.


VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.



Submission Review Process


After a Submission is sent to Tonkeeper in accordance with these Terms, we will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.


Tonkeeper retains sole discretion in determining which Submissions are qualified, according to the rules set forth in these Terms. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission(s) as defined by Tonkeeper. If a duplicate report provides new information that was previously unknown to Tonkeeper, we may award a differential to the person submitting the duplicate report.



Bounty Payments


The decisions made by Tonkeeper regarding Bounties are final and binding.


If we have determined that your Submission is eligible for a Bounty under these Terms, we will notify you of the Bounty amount and, if applicable, provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.


If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.


Please note you may not designate someone else as the Bounty recipient (unless you are considered a minor in your place of residence, in which case we may award the Bounty to your parent/legal guardian on your behalf).


If you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).


WAIVER: by participating in this program and submitting a report, you agree that any reward paid is at our sole discretion and constitutes full compensation for your disclosure. You hereby waive any and all claims, demands, or causes of action against us arising out of or related to the report, including any legal or equitable remedies.



Indemnification


You agree to indemnify and hold Tonkeeper, its affiliates and licensors and their respective shareholders, officers, directors, agents, servants, counsel, employees, consultants, lawyers and other representatives harmless from any losses, costs, liabilities and expenses (including reasonable attorneys’s fees) suffered as a result of any breach of these Terms.



Changes and Termination


We may modify this Policy at any time by posting an updated version. We may also terminate or pause this Program at any time without notice.



Governing Law


These Terms, and any issues or disputes arising out of or in connection with this document (whether such disputes are contractual or non-contractual in nature, such as claims in tort, for breach of statue or regulation, or otherwise) shall be governed by, and construed in accordance with, the laws of England and Wales.



Dispute Resolution


Any dispute arising out of or in connection with these Terms, including any question regarding its existence, validity or termination, shall be referred to and finally resolved exclusively by the English courts.


Hereby, you expressly waive any objection based on lack of personal jurisdiction, place of residence, improper venue, or forum non conveniens in any such action.


IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.

© 2025 Tonkeeper. All rights reserved.
All trademarks are the property of their respective owners.