Bug Bounty

Tonkeeper bug bounty program rewards researchers who identify and responsibly disclose vulnerabilities in our products

In Telegram

How to report vulnerabilities

1. Report your vulnerability directly to [email protected];
2. Public disclosure nullifies the reward;
3. We do not reward disclosures of already known or previously reported issues;
4. Multiple vulnerabilities caused by one underlying issue will be rewarded once.

Reward Payments

Security Bounty rewards are discretionary, based on issue type, access level, and report quality. High-quality reports aid in quick issue resolution and may increase your reward. Awards and categories may change at any time

Top Category: $ 15 000 – $ 30 000

Reliable loss of funds or confidential data with no or little user interaction.

Example: tricking the wallet to sign a transaction that user did not authorize, or triggering a leak of a secret key.

Medium Category: $ 5 000 – $ 10 000

Limited access to funds or confidential data, not reliable or requiring substantial user interaction.

Example: tricking a user into signing a transaction that misuses funds shown differently from the wallet's confirmation.

Low Category: $ 1 000 – $ 2 000

Unauthorised access to personal data, loss of personal data, limited loss of funds.

Example: a dApp accesses user data without consent or incurs excessive fees.

Beta Software

Issues that are unique to pre-production builds (including regressions) and releases receive +25% bonus to the reward above.

Out of scope

Issues due to a fault in the host environment (OS, device, browser) generally do not qualify for the reward (e.g. bypassing biometric checks), but we may consider paying out a partial reward in case there exists a reliable workaround that eliminates the vulnerability without substantial change to the intended behaviour.


Issues in third party services are covered by their respective terms of use and related policies and are out of scope of this program.

Prohibited actions

Rewards are nullified if the researcher conducts brute-force, denial-of-service, or social engineering attacks that lead to service disruption.

© 2025 Tonkeeper. All rights reserved.
All trademarks are the property of their respective owners.