Talis Bug Bounty

Help make Talis safer and better for users.

Start testing Report a vulnerability

Rewards

Critical security or business-risk bugs

Unauthorized access, trading/balance exploits, privilege escalation

$50

Feature suggestions

A clearly useful feature idea that Talis decides to build

$50*

Auth or finance-related bugs

$30

Security vulnerabilities

Non-critical security issues, weak access control, XSS/CSRF with real impact

$30

General product bugs

Broken flows, state bugs, issues in settings/onboarding/notifications

$15

Talis AI chat bugs

Broken chat flows, bad rendering, incorrect AI behavior, crashes

$15

UI/UX improvements

A meaningful UX improvement that Talis decides to implement

$15*

* If implemented. Rewards are discretionary. Only the first valid report for a given issue is eligible. Multiple variants of the same root cause may receive a single reward. Talis may decline rewards for low-signal, low-effort, or abusive submissions.

We value thoughtful reports that help make Talis safer and better for users. If you find a valid issue in scope and report it responsibly, we may issue a reward based on severity, impact, and report quality. For feature and UI suggestions, rewards are discretionary and only apply if Talis decides to implement the improvement.

How to report an issue

Email tanisha@talis.trade with:

A short summary of the issue and why it matters.
Exact steps to reproduce it.
The environment used.
Screenshots, logs, or proof of concept if available.
The account, device, app version, and endpoint involved.
For feature or UI suggestions, the problem, the proposed improvement, and why users would want it.

We review valid submissions as quickly as we can and may follow up for additional detail.

What to look for

Focus areas

We care most about reports involving:

Authentication and session issues.
Unauthorized access to user or financial data.
Bugs affecting trading actions, balances, or order flow.
Privilege escalation.
Meaningful vulnerabilities in production APIs.
Security or reliability issues in Talis AI chat.

In scope

Only the following official Talis-owned surfaces are in scope:

The Talis website.
The Talis iOS app (TestFlight beta).

Production assets

Website — talis.trade
iOS app (TestFlight beta) — testflight.apple.com/join/epcayY7p

Anything not explicitly listed above is out of scope.

Out of scope

The following are not eligible for rewards:

Duplicate reports.
Reports without clear reproduction steps.
Automated scanner output without validation.
Theoretical issues without demonstrated impact.
Social engineering, phishing, or impersonation.
Denial of service, traffic flooding, spam, or resource exhaustion.
Attacks requiring physical access.
Testing on assets not explicitly listed in scope.
Third-party issues without a direct Talis-specific exploit path.
Self-XSS.
Clickjacking on pages with no sensitive actions.
Missing security headers alone.
Version disclosure.
SPF, DKIM, DMARC, TLS, DNS, or other best-practice findings without a real exploit path.
Attempts to bypass plan limits, referral mechanics, promotions, rewards, or growth systems.
Bugs that require compromising another user, employee, or vendor account.
Feature requests submitted as fake bug reports.
Requests for payment before enough detail is shared to validate the issue.

Low-value informational findings may be acknowledged but are unlikely to qualify for a reward.

Rules for testing

Please follow these rules while testing:

Only test on accounts you own or have explicit permission to use.
Do not target other users’ accounts, balances, portfolios, orders, or data.
Do not attempt to place, alter, cancel, or manipulate trades on behalf of others.
Do not attempt to modify balances, withdrawals, account state, or financial records beyond the minimum needed to prove an issue.
Do not use excessive automation or request volume.
Do not degrade or interrupt service.
Stop testing as soon as you confirm the issue exists.
Do not exfiltrate, retain, or share sensitive data.
Do not pivot to other systems or attempt persistence.
Do not publicly disclose an issue before Talis has had reasonable time to address it.

Because Talis is a trading product, researchers must avoid any testing that could create real financial harm, market manipulation, unauthorized trades, or changes to production balances or order flow.

Safe harbor

If you make a good-faith effort to follow this policy, test only in scope, avoid harm, avoid privacy violations, and promptly report what you find, Talis will consider your actions authorized under this policy and will not initiate legal action against you for that research.

If a third party initiates legal action against you for activities that were conducted in compliance with this policy, Talis may take steps to clarify that your actions were authorized under this policy.

Ready to report?

tanisha@talis.trade