Bug Bounty

TL;DR: Bug bounty programs pay security researchers for finding vulnerabilities. They can run internally or via platforms, and several active programs exist on the TON blockchain, offering rewards ranging from a few hundred to tens of thousands of TON.

What is a Bug Bounty?#

A bug bounty is a reward scheme that incentivizes security researchers—often called “white‑hat hackers” or bug hunters—to discover and report bugs and vulnerabilities in software. Payments are calculated based on the severity of the issue, with higher‑severity bugs receiving larger rewards.

Historical Background#

1995: The first public bug bounty was launched by Netscape Communications Corporation after Jarrett Riedlinghafer proposed the idea and the company allocated $50,000 for its development.
2012: Yandex introduced the first bug bounty program in Russia.
2013: VK followed with its own program.
2020 onward: Numerous open bug bounty platforms appeared across Russia and the CIS.

How Bug Bounty Programs Operate#

Internal (In‑house) Model

A company publishes its own bounty program on its website. Researchers submit detailed reports, the company reproduces and fixes the issue, verifies the fix, and then pays the reward. This model is common among large corporations with dedicated security teams.

Platform Model

Companies register on a third‑party platform, define the scope, goals, and reward amounts, and publish the program. Researchers verify their identity on the platform, work on the assigned tasks, and submit reports. The platform mediates verification and payment, taking a commission for its services.

Bug Bounty Programs in the TON Ecosystem#

As of December 2024, several active bug bounty initiatives target TON projects. All are listed on the official TON grants page.

STON.fi Bug Bounty

Fund: 200,000 $TON.
Reward tiers:
- Medium severity – 1,000 $TON
- High severity – 2,000 $TON
- Critical severity – up to 20,000 $TON
Details are available on the STON.fi GitHub repository.

Getgems Bug Bounty

Conducted as a contest where participants hunt for “significant” bugs that break core functionality.
The top five reports receive prizes up to $500 each, paid in TON.
Registration requires a GitHub account and a TON wallet linked to @toncontests_bot.

HackenProof × TON

HackenProof, a major smart‑contract audit platform, partnered with the TON Foundation a year ago.
Initial participants included @TonDiamonds, @stonfidex, and @evaaprotocol.

TON Foundation Bug Bounty

Rewards range from $150 to $5,000 per valid report.
Program terms and documentation are hosted on the HackenProof blog.

All active programs are aggregated on the TON grants portal and the ton‑blockchain/bug‑bounty GitHub repository.

Who Can Participate?#

English proficiency – most documentation and platforms are English‑only.
Programming skills – Python, JavaScript, Rust, Solidity, or FunC for TON contracts.
Knowledge of cybersecurity law – to avoid illegal probing.
Familiarity with security tools – e.g., Burp Suite, Metasploit, Slither, Mythril.
Understanding of web and network protocols – many bugs arise at the on‑chain/off‑chain interface.
Analytical thinking – ability to reproduce and document issues clearly.
Communication skills – concise, reproducible reports are required for payment.

Learning Resources#

Awesome Ethical Hacking Resources – a curated list of free courses and tutorials.
Virtual labs: bWAPP, HackTheBox, TryHackMe, DVWA.
Capture the Flag (CTF) competitions for hands‑on practice.
CertiK Academy and similar platforms for smart‑contract security.
Public report archives on HackenProof and Immunefi.