Docs/API Reference/Bounty Program

Bounty Program API

Submit vulnerability reports through the Tork bug bounty program. This is a public endpoint — no API key required.

Endpoint

POST/v1/bounty/submitSubmit a vulnerability report

Authentication

Public Endpoint
This endpoint does not require an API key. It is rate-limited to 5 submissions per hour per IP address.

Request Body

ParameterTypeRequiredDescription
titlestringYesVulnerability title (min 5 characters)
severitystringYesSeverity: critical, high, medium, or low
categorystringYesCategory (see valid values below)
descriptionstringYesDetailed description (min 20 characters)
steps_to_reproducestringYesReproduction steps (min 10 characters)
expected_vs_actualstringNoExpected vs actual behavior
emailstringYesContact email (valid email format)

Valid categories: policy_bypass, pii_gap, scoring_issue, receipt_integrity, autonomy, other

Example

bash
curl -X POST "https://api.tork.network/v1/bounty/submit" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "PII detection bypass via Unicode normalization",
    "severity": "high",
    "category": "pii_gap",
    "description": "Email addresses using Unicode full-width characters bypass the PII detection engine. For example, sarah@example.com is not detected as an email.",
    "steps_to_reproduce": "1. Send a /govern request with full-width Unicode email\n2. Observe that no PII is detected",
    "expected_vs_actual": "Expected: Email detected and redacted. Actual: Content passes through unredacted.",
    "email": "researcher@example.com"
  }'
json
{
  "submission_id": "TORK-BNT-a1b2c3d4",
  "status": "received",
  "message": "Thank you for your submission. Our security team will review it within 48 hours."
}

Response

FieldTypeDescription
submission_idstringUnique ID (format: TORK-BNT-{hex})
statusstringAlways "received" on success
messagestringConfirmation message

Error Responses

StatusDescription
400Validation error — missing required fields, title too short, invalid category, etc.
429Rate limit exceeded (5 submissions per hour per IP)
500Internal server error