Skip to main content

Topl Bounty Program Scope & Rules of Engagement


The Topl Bounty Program encompasses both technical contributions, including bug bounties and testing of the protocol, as well as non-technical contributions such as the development of educational content about the Thunder protocol and its uses. The scope will change over time as specific bounties and tasks are added and completed.

Rules of Engagement

Your participation in the Topl Bounty Program is subject to terms and conditions set by Topl. By submitting any bounties or tasks for incentives, you agree to follow these terms outlined and maintained in our Bounty Program Agreement, here.

Authorized Testing: Participants are only allowed to test within the defined scope and should not perform any unauthorized actions, such as exploiting, exfiltrating data, or disrupting services.

Responsible Disclosure: If Topl Bounty Program participants discover a vulnerability, they must notify address within 24 hours to report the discovered issue.

Ethical Guidelines: Participants must adhere to legal and ethical standards during their testing and/or work to achieve the tasks associated with any bounties. Activities such as unauthorized access, data manipulation, or any malicious intent are strictly prohibited.

No Disruption and Do No Harm: Participants should not attempt to disrupt the normal operation of Topl’s or any Topl ecosystem partners’ systems or services. The goal is to identify vulnerabilities, not to cause harm.

No Public Disclosure Without Approval: Participants should not publicly disclose the details of any vulnerabilities without obtaining approval from the organization first. This helps in coordinating responsible disclosure.

Exclusion Criteria

Attempting to achieve bounties or other tasks through certain disqualifying means may make you ineligible to continue participating in the program. The full list of excluded or disqualifying activities can be found in our Bounty Participation Agreement.

Denial of Service (DoS) Attacks: Any attempt to perform or simulate denial-of-service attacks on systems or networks is not allowed.

Social Engineering Attacks: Activities that involve social engineering, such as phishing attacks, are not permitted.

Brute Force Attacks: Automated brute force attacks or attempts to gain unauthorized access to cryptographically secured data or access are prohibited.

Legal and Compliance Violations: Any activity that violates applicable laws or regulations is strictly prohibited.

Physical Destruction: Physical destruction of hardware, infrastructure, or data is not allowed.

Traffic Interception: Intercepting network traffic in a way that may compromise user privacy or security is prohibited.

Exploitation of Known Issues: Exploiting issues that are already known and documented by Topl, unless there is evidence of an additional security impact.

Spam or Social Media Attacks: Any activity that involves spamming, phishing, or launching attacks on social media platforms is excluded.

Testing on End Users: Conducting security testing directly on end users or their accounts is prohibited.

Violating Privacy: Activities that violate the privacy of individuals, including accessing or attempting to access personal data without consent, are not allowed.


The Topl Bounty Program is open to developers, creators, and thinkers who would like to contribute to the security, growth, and robustness of the Topl ecosystem. Before being eligible to receive any rewards for your participation, you may be required to undergo KYC verification.

Communication Channels

Bounty Program participants may communicate with Topl core team members using or Discord.

Timely Response

Topl aims to provide timely responses to participants, acknowledging the receipt of vulnerability reports (24 hours) and all bounty-associated task submissions (5 business days unless otherwise specified) to keep participants informed about the progress of resolutions and implementations, respectively.

Educational Resources

In addition to educational resources in the Topl Developer Portal, Topl will regularly update documentation and host virtual workshops to help participants better understand the organization's ecosystem, technology, and security requirements.

Rewards and Recognition

Topl will endeavor to offer attractive and competitive token rewards to motivate participants. When given express permission and where appropriate, Topl will publicly recognize outstanding contributions.

Tiered Rewards

All reward amounts will be commensurate with the severity and/or difficulty of the reported issues and/or completed tasks and designated by the Topl core team member overseeing a given bounty. They will determine each bounty’s difficulty level based on elements including, but not limited to: the comprehensiveness of acceptance criteria, skills required, or expected hours to complete. When appropriate, participants should feel comfortable requesting a reconsideration of rewards.

Transparent Evaluation

Submissions are subject to the review of requisite Topl team member overseeing each bounty and will be evaluated considering the following criteria:

  1. Adherence to task scope
  2. Meeting task acceptance criteria
  3. Adherence to task formatting guidelines
  4. Quality of work submitted

Multiple Categories

To allow a wide range of participants to contribute, Topl’s various teams (engineering, product, growth, marketing, and tokenomics) will post bounties to be completed by individuals with diverse skills and experience. It should be noted that the volume and frequency of different teams’ bounties will vary.

Post-Bounty Relationship

Topl is committed to building ongoing relationships with active and successful participants. Where appropriate, we will engage them in ongoing testing, feedback, or potential collaboration on future projects.