Bug bounty
Reward programme for private vulnerability disclosure. TON ecosystem programmes exist at TON Foundation, STON.fi, DeDust, Tonkeeper, EVAA, and others, with payouts up to $500K for critical findings.
Aliases: bugbounty, bug-bounty
Bug bounty is a reward programme for private vulnerability disclosure. A researcher finds a vulnerability, sends details through a secure channel (Immunefi, HackerOne, a team’s private security@ email), receives a CVE and a cash payout. Alternatives (selling on the darknet, exploiting it yourself) are illegal in most jurisdictions.
TON ecosystem programmes (2026)
| Programme | Platform | Payout for critical |
|---|---|---|
| TON Foundation | Immunefi | up to $500K |
| STON.fi v2 | Immunefi | up to $200K |
| DeDust | Immunefi | up to $150K |
| Tonkeeper | HackerOne | up to $50K |
| EVAA Protocol | Immunefi | up to $100K |
| Notcoin / Catizen | direct security@ | negotiable |
Up-to-date conditions and scope — in the TON bug-bounty guide.
Typical severity tiers
- Critical — the smart-contract vulnerability stack (drain, mint without backing, frozen funds).
- High — front-end / integration vulnerabilities with funds at risk.
- Medium / Low — DoS, privacy leaks, less-impactful integer overflows.
Responsible disclosure — the discipline
- Always start with private disclosure through the listed channel.
- Wait for the team’s reply and coordinate the publication window.
- Only after the patch — public write-up.
- A public exploit PoC released without coordination = $0 and a possible criminal case for “unauthorised access”.
Bug bounty is the second line of defence after audit. Audit catches known bug classes; the bounty catches what the auditor missed and pays only for what’s actually found (no retainers).