Introducing Toloka’s Bug Bounty Program: Strengthening Security with Ethical Hacking

At Toloka, data security and privacy are at the core of everything we do. As part of our ongoing commitment to safeguarding the data of our users and clients, we’re excited to introduce our Bug Bounty Program—an initiative that invites security researchers and ethical hackers to help us identify and address vulnerabilities before they can be exploited.

What is the Toloka Bug Bounty Program?

Our bug bounty program is designed to enhance the security of our expert platform, Mindrift Web and Mobile versions by leveraging the expertise of the global security research community. By participating, researchers can help us fortify our defenses while earning rewards for their contributions.

Scope and Eligibility

The program focuses on identifying critical security vulnerabilities while excluding lower-risk issues such as denial-of-service attacks, non-sensitive information disclosure, and minor misconfigurations. We welcome submissions that demonstrate real security risks, including authorization bypasses, account takeover and business logic flaws.

Researchers worldwide can participate, except those from restricted regions as outlined in our guidelines. We follow HackerOne’s Gold Standard Safe Harbor policy, ensuring that ethical hacking within our program remains legally protected and aligned with responsible disclosure best practices.

Bounty Rewards and Submission Process

We offer competitive rewards of up to $3,000 USD based on the severity of discovered vulnerabilities, categorized using the Common Vulnerability Scoring System (CVSS).

Valid reports must include a proof of concept, impact assessment, and detailed reproduction steps. Submissions should be made via our HackerOne platform, where researchers will receive responses within three days, with a full triage process completed within seven days. Bounties will be issued within 30 days of a verified vulnerability.

Our Commitment to Security

Launching a public bug bounty program reflects the maturity of our security practices. Unlike companies that fear the costs of fixing vulnerabilities, we believe in proactive security and addressing issues before they reach production. Our internal SLA mandates fixing critical vulnerabilities within five days and all other vulnerabilities within 30 days.

Join the Program

We invite security researchers to help us strengthen our defenses while earning rewards for their expertise. To get started, visit our HackerOne program page. For any inquiries, reach out to us at security@toloka.ai.

Together, we can make Toloka’s ecosystem more secure for everyone.