Community-driven catalog of applications developed by third-party developers.
This bug bounty program is focused on https://t.me/tapps itself and TON apps which are listed within this bot.
In Scope
| Target | Type | Reward |
|---|---|---|
https://t.me/tapps |
Other | Bounty |
Apps which are listed within @tapps bot and meet TON-based criteria |
Other | Bounty |
https://t.me/Open_league_bot |
Other | Bounty |
IN-SCOPE VULNERABILITIES (Telegram BOT)
We are interested in the following vulnerabilities:
- Business logic issues
- Payments manipulation
- Remote code execution (RCE)
- Injection vulnerabilities (SQL, XXE)
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Server-Side Request Forgery (SSRF)
- Directory traversal
- Other vulnerability with a clear potential loss
OUT OF SCOPE
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
- Vulnerabilities in Telegram applications
- Assets that do not belong to the company
- Best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, phishing, physical, or other fraud activities
- Reports that generated by scanners or any automated or active exploit tools
- Vulnerabilities involving active content such as web browser add-ons
- Most brute-forcing issues without clear impact
- Denial of service (DoS/DDoS)
- Theoretical issues
- Moderately Sensitive Information Disclosure
- Spam (sms, email, etc)
- MitM and local attacks
- Attacks requiring physical access to a user's device
- Vulnerabilities that require root/jailbreak
- Vulnerabilities requiring extensive user interaction
*Hackers must ensure the application meets the specified criteria before starting testing
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
Reports for applications must include:
- Confirmation of on-chain interaction.
- Blockchain interaction logs (e.g., transaction hashes, smart contract IDs, or interaction with TON APIs).
In Scope
At least one of the following must be met
On-Chain Interaction via TON Blockchain
- The application performs transactions recorded on the TON Blockchain (e.g., payments for goods, participation in DAO, interaction with NFTs, or any smart contracts on TON).
- The application uses smart contracts to execute application logic.
Integration with TON Ecosystem
- The application utilizes mechanics directly tied to TON (e.g., token airdrops with verified smart contract logic, TON DNS, TON Storage, or other similar tools).
- The application provides functionality exclusively accessible through TON Wallet (e.g., using TON Connect for authorization and operations related to TON).
Interaction with TON Wallet
- The application must include functionality beyond simple authorization via TON Connect.
- Users can perform actions requiring transaction signatures via TON Wallet.
- TON Wallet usage is verified for business-critical operations (e.g., payments, subscriptions, asset withdrawals/deposits).
Out of Scope
- Applications using only TON Connect for login without additional TON Blockchain mechanics.
- Airdrops without actual on-chain interaction or verified smart contracts.
- Applications that claim future TON integration but lack it in the current version.
- Applications operating exclusively on testnet instead of mainnet.