The Tron Bug Bounty Program is aimed at discovering potential technical
vulnerabilities in the mainnet with the help of TRON’s community members,
especially those who specialize in global network security, to sustain TRON
mainnet as the most secure public blockchain in the industry and to provide
secure and stable infrastructure and services to DApps deployed on the
mainnet. We take the security of TRON mainnet very seriously. If you have made
an important discovery of potential bugs, please contact us and join the TRON
Bug Bounty Program as soon as possible and we will surely offer generous
Tron Foundation will make a best effort to meet the following SLAs for hackers
participating in our program:
- Time to first response (from report submit) - 2 business days
- Time to triage (from report submit) - 2 business days
- Time to bounty (from triage) - 14 business days
We’ll try to keep you informed about our progress throughout the process.
Please review our bounty table. Rewards are at the discretion of Tron, and we
will not be awarding significant bounties for low severity bugs.
Examples of eligible bugs:
- bugs which can take control of java-tron nodes by remote execution of any code.
- bugs which can lead to private key leakage.
- bugs which can incur Denial of Service (DoS) in java-tron through P2P network.
- bugs which can incur Denial of Service (DoS) in java-tron through RPC-API.
- bugs which can incur Denial of Service (DoS) in java-tron through TRON Protocol.
- bugs allowing unauthorized operations on user accounts.
Description of Scope
Please test the latest released versions of each project available. Only the
newest released package is in scope.
Testing Guidance and Tips
You may use the source code of both projects to help you discover bugs.
Additionally, please use our documentation to assist you in your testing.
How to report bug
- Source of the bug, e.g. tronprotocol/java-tron.
- Your personal assessment of the severity of the bug as medium/high/critical
- A summary of the bug.
- A detailed description of the bug.
- Instructions to encounter the bug.
- Other supplementary materials such as proof of concepts, source code, screenshots or logs.
Out of Scope
These following locations are considered out of scope for the bug bounty
rewards. If you find issues with these projects, PLEASE file issues on the
respective repositories if possible.
- java-tron Master / Release or any other branches of the repository
- tronscan.org : https://github.com/tronscan/tronscan-frontend __
- Any third party partners
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's machine/device.
- Attacks requiring root level access to the machine/device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Program Rules & Guidelines
- For a report which contains several bugs, if they share an origin of the same underlying bug or are interrelated, we will regard and reward these bugs as one single bug discovery.
- If several members report on the same bug, the reward will be awarded to the earliest submission verified by TRON Foundation.
- If a bug was reported on other public channels of TRON Foundation earlier, e.g. Github, Discord and etc., the report containing the same bug will be only regarded as an Informative report or Duplicate report.
- All rights of interpretation of reward amount are reserved to TRON Foundation.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines __.
All rights of interpretation of the Bug Bounty are reserved to TRON. TRON
Foundations decides whether to reward a bug disclosure and how much will be
rewarded. Any individual or team participant should not violate any laws and
regulations during testing.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for helping keep Tron Foundation and our users safe!
Hall of Fame