Network Bounty Program

TOMMY's core is closed source, so the way to verify our local data claims is to sandbox TOMMY and inspect its connections yourself. A privacy conscious user would need to do that on every release, which is tedious. That's why we run this bounty program, incentivizing the community to do this check by rewarding anyone who finds undocumented network connections in current releases of TOMMY. Findings are fixed and published.

The claim we're asking you to test

All sensing data stays on your local network. The only external connections TOMMY makes are license activation and validation, and the optional Online Coordination service, exactly as documented under Network Communication in our privacy policy.

What qualifies

A valid finding is a connection leaving your device (the TOMMY server or a flashed device) to any external destination, or transmitting any data, that is not documented in the privacy policy's Network Communication section. This includes:

• Connections to undocumented hosts or endpoints
• Documented connections transmitting undocumented fields or data
• Any external transmission of sensing data, in any form

What does not qualify

• Local network traffic (peer-to-peer CSI packets, MQTT, mDNS, dashboard access)
• Traffic generated by your own configuration or third-party software not part of TOMMY.
• If you run the firmware via the ESPHome component, the connection must originate from TOMMY's component, not from other components in your ESPHome configuration
• Connections initiated by your browser when using the dashboard, such as fetching the changelog from TOMMY's GitHub repository, unless those connections transmit sensing data
• DNS lookups for documented hosts
• A renamed field or a different encoding of the same documented data. Fields are documented by their meaning, not their exact wire format. What matters is whether undocumented information leaves your device
• Findings on beta, pre-release, or modified builds
• General security vulnerabilities. This program covers undocumented network communication only. Security issues should be reported to info@tommysense.com, but are outside this bounty's scope.

The bounty

€250 per release. The bounty applies to the latest released version of TOMMY. One bounty is paid per release regardless of how many undocumented connections are found in it, and the first valid submission received claims it. A submission must be received while the version it targets is the latest release, unless the undocumented connection is still present in the newer release. Ordering between submissions, and between submissions and releases, is decided by submission timestamps and release timestamps in the changelog.

Submitting a finding

Email bounty@tommysense.com with:

• The TOMMY version (server and firmware)
• A packet capture or equivalent evidence showing the connection
• Enough detail about your setup for us to reproduce it

We confirm receipt, verify the finding against the current release, and respond with our conclusion. Valid findings are paid, fixed, and published on this page with credit to the finder (or anonymously, your choice).

Payment

Payouts are made by bank transfer. To pay you, we need a name and payment details, and we may need basic identity information where required for our accounting or legal obligations. We can't pay anonymous submissions, but we can publish your finding anonymously.

We aim to verify submissions within 14 days, and pay valid findings within 30 days of verification.

Findings to date

Program started June 12, 2026, covering TOMMY 5.4.0 and later.

None so far.