Mainnet is live!
No items found.

Bug Bounty Program Policy Terms and Conditions

Last Updated:
June 3, 2026

BUG BOUNTY PROGRAM POLICY

Effective From: 13/09/2025

THIS POLICY IS MEANT TO GUIDE INTERNAL DECISION-MAKING AND ENSURE CONSISTENCY. ALL REWARDS ARE DISCRETIONARY AND SUBJECT TO FINAL INTERNAL APPROVAL. TAC RESERVES THE RIGHT TO MODIFY OR TERMINATE THIS POLICY AT ANY TIME WITHOUT NOTICE.

This Bug Bounty Program Policy (“Policy”) outlines the internal process for evaluating, rewarding, and recording contributions from community members (“Contributors”) who help identify technical bugs, including any vulnerabilities, in the layer 1 TAC blockchain (“Protocol”). This Policy is discretionary and nothing in this document creates a legal obligation on the part of TAC Foundation, its affiliates or service providers (“TAC”) or requires that the below processes be followed strictly.

1. Purpose

The purpose of the bug bounty program of the Protocol (“Program”) is to recognize and reward meaningful contributions that help improve the security and stability of the Protocol in cases where bugs are disclosed or discovered.  

2. Eligibility and Case Validation

All bug bounty claims under the Program are assessed and validated by TAC, with input from its technical team. The decision to approve, reject, or modify any bounty reward or process lies solely and entirely within the discretion of TAC. TAC may consider factors such as risk level, technical effort, contribution value, prior interactions, or any other relevant context, but is not obligated to follow any predefined formula or outcome. No Contributor shall have a right or entitlement to a reward unless and until expressly confirmed by TAC in writing.

Minimum Threshold

Each bug must satisfy at least the following minimum threshold checklist before a bounty may be considered:

  • The bug must be sufficiently serious.
  • The security or stability impact of the bug must be confirmed.
  • Technical validation must be completed by TAC’s technical team.

Discretionary Considerations

A bug may be considered eligible for a reward by the TAC Board based on the following discretionary criteria:

  • Whether the bug poses a serious or high-impact risk to protocol security (e.g., fund drain, unauthorized access, transaction manipulation) or significantly affects operational stability (e.g., chain halts, denial-of-service).
  • Whether the bug is original, non-trivial, and was previously unknown to TAC. In the case of duplicate submissions:
    • The first submission to provide a clear and reproducible report of a specific bug will beconsidered for the full reward.
    • If multiple submissions of the same bug are received within a short timeframe (e.g., within 24 hours), TAC may, at its sole discretion:
      • reward only one submission,
      • allocate the reward among several submissions in varying proportions dependingon the completeness of the disclosure and the usefulness of the informationprovided, or
      • decide not to grant any reward if the submissions do not provide sufficient value.
    • Submissions that are similar but identify distinct bugs will be treated as separatesubmissions.
  • Whether the bug was disclosed confidentially to TAC, such disclosure allows sufficient time for mitigation before any public statement is made. For avoidance of doubt, any public disclosure of the bug before communication to TAC or during TAC’s assessment of the bug submission automatically may render the submission ineligible to receive any bounty reward and may subject the Contributor to legal liability. Any further public disclosure of the bug may only occur with TAC’s express prior written consent.
  • If the bug was not disclosed confidentially to TAC, or it appears that the Contributor has violated applicable laws, ethical standards, or TAC’s or third-party intellectual property rights in the discovery process, unless the TAC Board resolves otherwise, the bug will not be eligible for any bug bounty.
  • Whether it includes a clear and reproducible technical explanation and is confirmed and verified by the core technical team of TAC.

3. Submission, Reward Determination & Process

Submission shall be made at info@tac.build with cc at tech@tac.build unless otherwise resolved by the TAC Board. The text of any email submissions must clearly state the following:

  1. explain how the bug works, including relevant context, affected components, and potential outcomes;
  2. include the steps to replicate the bug, such that the team can independently confirm the issue by following the instructions, e.g., code snippets, testnet transactions, curl commands, RPC calls, etc.;
  3. allow TAC's technical team to reproduce the exploit or behavior consistently under test or dev conditions.

Rewards are issued in TAC tokens unless the TAC Board resolves otherwise. The amount is determined at TAC’s sole discretion on a case-by-case basis, based on the severity, impact, and nature of the contribution. TAC reserves the right to modify reward amounts or decline to issue rewards at any time. No specific reward amount is guaranteed, and all reward decisions are final. In order to receive the award, the Contributor must provide a valid EVM-compatible wallet address for the award payout.

4. Compliance Checks & Token Transfer

Before any award payout is executed to the Contributor TAC may require:

  • A KYT (Know Your Transaction) check to be performed on the wallet address.
  • Rewards ≥ 100,000 TAC may trigger the following additional steps:
    • A test transaction must be executed and confirmed.
    • Contributors may be required to complete KYC procedures as required by TAC'scompliance policies, including but not limited to providing proof of identity, country ofresidence, and other documentation as may be requested. TAC reserves the right todecline rewards to Contributors who fail to complete KYC requirements or are located inrestricted jurisdictions

5. Intellectual Property License

By submitting any information, documentation, code, or other materials under this Policy, or by accepting a bug bounty, the Contributor grants TAC a perpetual, irrevocable, worldwide, royalty-free, fully sublicensable and transferable license to use, reproduce, modify, distribute, display, perform, and otherwise exploit such materials for any purpose related to the Protocol, including remediation, improvement, or security hardening. The Contributor agrees that no compensation, other than any discretionary reward, shall be due in connection with such license.

6. Tax Obligations

Contributors are solely responsible for determining, reporting, and paying any and all taxes, duties, or other governmental charges that may apply to their receipt of tokens or participation in the Program, in accordance with the laws of their jurisdiction. TAC assumes no liability for such obligations and will not provide tax advice or reporting assistance.

7. No Employment or Partnership

Participation in the Program does not create any employment, partnership, agency, or contractor relationship between the Contributor and TAC.

8. Liability and Indemnification

This Policy shall be governed by and construed in accordance with the laws of the Cayman Islands, without regard to its conflict of law principles. To the maximum extent permitted by applicable law, TAC Foundation, its affiliates, contributors, officers, employees, agents and service providers shall not be liable for any indirect, consequential, special, or punitive damages arising out of or in connection with this Policy, the Program and TAC tokens, including but not limited to the issuance or non-issuance of any reward. Nothing in this Policy shall exclude liability for death, personal injury, fraud, or other liabilities that cannot be excluded under Cayman Islands law. All Contributors acknowledge that participation in the Program is entirely voluntary and at their own risk.

By submitting a bug or participating in this program, the Contributor agrees to adhere to ethical testing practices. Prohibited testing methods include, but are not limited to DDoS attacks, social engineering, and physical security testing without authorization. The Contributor agrees to indemnify and hold harmless TAC Foundation, its affiliates, contributors, officers, employees, agents and service providers from any and all claims, damages, or liabilities arising out of their participation, including any third-party claims related to the submission, technical findings, tax obligations, or reward payment.

TAC shall not be liable for any errors, losses, or damages arising from the transfer of TAC tokens as rewards, including but not limited to, incorrect wallet addresses, unauthorized access, or security breaches. It is the sole responsibility of the Contributor to ensure that the provided EVM-compatible wallet address is accurate, secure, and capable of receiving TAC tokens. The Contributor acknowledges that any failure to maintain the security and correctness of their wallet address may result in the forfeiture of the reward, and TAC shall bear no liability for such forfeiture.