The paper proposes an algorithm for certifying the robustness of one layer and two-layer GCNs for graph classification under topological attack. As a byproduct, the authors also propose a new attack algorithm, which, when used in conjunction with the certificate, confirms empirically that both the attack and the certificate are often tight. There is consensus among the four reviewers that the paper should be accepted.