Bug Bounty Program Policy Terms and Conditions

BUG BOUNTY PROGRAM POLICY

Last updated: [15/09/2025]

THIS POLICY IS MEANT TO GUIDE INTERNAL DECISION-MAKING AND ENSURE CONSISTENCY. ALL REWARDS ARE DISCRETIONARY AND SUBJECT TO FINAL INTERNAL APPROVAL. TAC RESERVES THE RIGHT TO MODIFY OR TERMINATE THIS POLICY AT ANY TIME WITHOUT NOTICE.

‍

This Bug Bounty Program Policy (“Policy”) outlines the internal process for evaluating, rewarding, and recording contributions from community members (“Contributors”) who help identify technical bugs, including any vulnerabilities, in the layer 1 TAC blockchain (“Protocol”). This Policy is discretionary and nothing in this document creates a legal obligation on the part of TAC Foundation, its affiliates or service providers (“TAC”).

1. Purpose

The purpose of the bug bounty program of the Protocol (“Program”) is to recognize and reward meaningful contributions that help improve the security and stability of the Protocol in cases where bugs are responsibly disclosed.

2. Eligibility and Case Validation

All bug bounty claims under the Program are assessed and validated by TAC, with input from its technical team. The decision to approve, reject, or modify any bounty reward or process lies solely and entirely within the discretion of TAC. TAC may consider factors such as risk level, technical effort, contribution value, prior interactions, or any other relevant context, but is not obligated to follow any predefined formula or outcome. No Contributor shall have a right or entitlement to a reward unless and until expressly confirmed by TAC in writing.

A bug will be considered eligible for a reward if:

• It poses a serious or high-impact risk to protocol security (e.g., fund drain, unauthorized access, transaction manipulation) or significantly affects operational stability (e.g., chain halts, denial-of-service).
• It is original, non-trivial, and was previously unknown to TAC. In the case of duplicate submissions:

a) The first submission to provide a clear and reproducible report of a specific bug will be eligible for the full reward.

b) If multiple submissions of the same bug are received within a short timeframe (e.g., within 24 hours), TAC may, at its sole discretion:

  • reward only one submission,

 • allocate the reward among several submissions in varying proportions depending on the completeness of the disclosure and the usefulness of the information provided, or

  • decide not to grant any reward if the submissions do not provide sufficient value.

c) Submissions that are similar but identify distinct bugs will be treated as separate entries and rewarded accordingly.

• It is disclosed confidentially to TAC, allowing sufficient time for mitigation before any public statement. For avoidance of doubt, any public disclosure of the bug before communication to TAC or during TAC’s assessment of the bug submission automatically will render the submission ineligible to receive any bounty reward and may subject the Contributor to legal liability. Any further public disclosure of the bug can only be done upon TAC’s express prior written consent.
• It includes a clear and reproducible technical explanation and is confirmed and verified by the core technical team of TAC.
• The Contributor has not violated any applicable laws, ethical standards, or TAC’s or third-party intellectual property rights in the discovery process.

Each case must satisfy at least the following checklist before the bounty reward distribution:

• Seriousness level assessed.
• Security or stability impact confirmed.
• Technical validation completed by TAC’s technical team.

3. Submission, Reward Determination & Process

Submission shall be made at info@tac.build with cc at tech@tac.build. The text of the submission must clearly state the following: 

1. explain how the bug works, including relevant context, affected components, and potential outcomes;
2. include the steps to replicate the bug, such that the team can independently confirm the issue by following the instructions, e.g., code snippets, testnet transactions, curl commands, RPC calls, etc.;
3. allow TAC’s technical team to reproduce the exploit or behavior consistently under test or dev conditions.

Rewards are issued in TAC tokens. The amount is determined at TAC’s sole discretion on a case-by-case basis, based on the severity, impact, and nature of the contribution. TAC reserves the right to modify reward amounts or decline to issue rewards at any time. No specific reward amount is guaranteed, and all reward decisions are final. In order to receive the award, the Contributor must provide a valid EVM-compatible wallet address for the award payout.

4. Compliance Checks & Token Transfer

Before any award payout is executed to the Contributor:

• A KYT (Know Your Transaction) check is performed on the wallet address.
• Rewards ≥ 100,000 TAC will trigger the following additional steps:
  
  • A test transaction must be executed and confirmed.
  • Contributor shall complete KYC procedures as required by TAC's compliance policies, including but not limited to providing proof of identity, country of residence, and other documentation as may be requested. TAC reserves the right to decline rewards to Contributors who fail to complete KYC requirements or are located in restricted jurisdictions.

5. Intellectual Property License

By submitting any information, documentation, code, or other materials under this Policy, the Contributor grants TAC a perpetual, irrevocable, worldwide, royalty-free, fully sublicensable and transferable license to use, reproduce, modify, distribute, display, perform, and otherwise exploit such materials for any purpose related to the Protocol, including remediation, improvement, or security hardening. The Contributor agrees that no compensation, other than any discretionary reward, shall be due in connection with such license. 

6. Taxes

Contributors are solely responsible for determining, reporting, and paying any and all taxes, duties, or other governmental charges that may apply to their receipt of tokens or participation in the Program, in accordance with the laws of their jurisdiction. TAC assumes no liability for such obligations and will not provide tax advice or reporting assistance.

7. No Employment or Partnership

Participation in the Program does not create any employment, partnership, agency, or contractor relationship between the Contributor and TAC.

8. Liability and Indemnification

This Policy shall be governed by and construed in accordance with the laws of the Cayman Islands, without regard to its conflict of law principles. To the maximum extent permitted by applicable law, TAC Foundation, its affiliates, contributors, officers, employees, agents and service providers shall not be liable for any indirect, consequential, special, or punitive damages arising out of or in connection with this Policy, the Program and TAC tokens, including but not limited to the issuance or non-issuance of any reward. Nothing in this Policy shall exclude liability for death, personal injury, fraud, or other liabilities that cannot be excluded under Cayman Islands law. All Contributors acknowledge that participation in the Program is entirely voluntary and at their own risk.

By submitting a bug or participating in this program, the Contributor agrees to adhere to ethical testing practices. Prohibited testing methods include, but are not limited to: DDoS attacks, social engineering, and physical security testing without authorization. The Contributor agrees to indemnify and hold harmless TAC Foundation, its affiliates, contributors, officers, employees, agents and service providers from any and all claims, damages, or liabilities arising out of their participation, including any third-party claims related to the submission, technical findings, tax obligations, or reward payment.

TAC shall not be liable for any errors, losses, or damages arising from the transfer of TAC tokens as rewards, including but not limited to, incorrect wallet addresses, unauthorized access, or security breaches. It is the sole responsibility of the Contributor to ensure that the provided EVM-compatible wallet address is accurate, secure, and capable of receiving TAC tokens. The Contributor acknowledges that any failure to maintain the security and correctness of their wallet address may result in the forfeiture of the reward, and TAC shall bear no liability for such forfeiture.

‍