Banner object (1)

Hack and Take the Cash !

794 bounties in database
  Back Link to program      
Tlon Corp logo
Hall of Fame


500 $ 

Tlon Corp

Tlon Corp looks forward to working with the researcher community to find security vulnerabilities in order to keep our businesses and customers safe. Tlon Corp works on the Urbit project, a personal server built from scratch, revolutionizing modern computing and the internet as we know it.

For an explanation of the Urbit project see here __. Full documentation can be found here __.

Response Targets

Tlon Corp will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to bounty (from triage) - 14 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Test Plan

For an explanation of the Urbit project see here __. Full documentation can be found here __.

Urbit is divided into two distinct parts. Azimuth, the PKI layer, is currently deployed and in-scope for this Bounty Program. Arvo, Urbit's operating system, is still under very active development and is not currently in scope during this phase of Tlon Corp’s Bug Bounty Program. Arvo will be included at a later date – stay tuned.


Azimuth is a suite of Solidity contracts that functions as Urbit’s PKI. In our PKI, an identity (called a “point”) is represented as an ERC-721 token. Each point is owned by an Ethereum address and other Ethereum addresses can be registered as proxies to perform subsets of actions on behalf of the point.

What we’re interested in

We’re interested in any vulnerability in the contracts (or their clients) that would allow an attacker to either seize other user’s points, impersonate points or that would result in the platform becoming unusable.


An Azimuth development environment consists of two main components: a deploy of the contracts in the Azimuth __repo and an instance of the web client, Bridge __. Both of these can be deployed simultaneously by cloning the Bridge repo, runningnpm install and then running npm run pilot.

Bridge is always hosted locally, and has instructions for running an instance and accessing this instance via a web browser. Bridge also has a menu for selecting which chain to interact with, so it can easily be pointed to either the Mainnet, Ropsten or a local node, depending on the network under test.

If you encounter the “SecurityError: The operation is insecure” error when launching the pilot, remember to allow insecure https in your browser configurations. More details on Bridge __.

The repos below include instructions on the setup for each of these two components and how they interact.

Bridge __is the client that lets users access and interact with points that they own. Releases and instructions for running Bridge locally, can be found here __.

Azimuth __contains all of the Solidity contracts as deployed. In this repo, you’ll find both Azimuth and Ecliptic. Azimuth is the data contract and Ecliptic, the logic contract.

Azimuth.js __is the JavaScript library used to interact with the Azimuth contracts.

Both Azimuth __and Ecliptic __are deployed on Ropsten.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Tlon Corp.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Arvo, OS.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Tlon Corp and our users safe!

In Scope

Scope Type Scope Name


Firebounty have crawled on 2019-08-06 the programe Tlon Corp on the platform Hackerone.

FireBounty © 2015-2020

Legal notices