At SatoshiLabs and Trezor, the safety of our products and services is a top priority. If you have identified a security vulnerability, we would greatly appreciate your assistance in disclosing it to us in a responsible manner.
As a way to engage with security researchers and hackers, we offer a bug bounty program. The process is straightforward: simply report any vulnerabilities you discover through responsible disclosure. Once they are confirmed, we will publicly recognize your contribution by including your details on our list of past issues and rewarding you with a bounty paid in bitcoin.
Requirements
In order to participate in our bug bounty program, we ask that researchers adhere to the following guidelines:
- Act in good faith and make every effort to protect user and company data from leakage or destruction.
- Give us a reasonable amount of time to fix any issues before they are made public.
- Do not defraud our users or us during the discovery process.
We will not take legal action against researchers who report problems, as long as they do thier best to adhere to these guidelines.
However, we reserve the right to determine if a reported bug is legitimate and severe enough to warrant a bounty.
In addition, we may proactively close potential security vulnerabilities in our software, even if they are not currently being exploited. This means that we may make changes to our code in response to a report, even if the issue cannot be used to launch an attack. While we do not offer bounties for purely theoretical vulnerabilities, we reserve the right to patch them anyway. To prove that an issue is a genuine vulnerability, we require a working exploit demonstration.
Relevant topics
- Private key extraction from Trezor.
- Tricking Trezor into confirming an action without user interaction.
- Bypassing PIN/passphrase protections of Trezor.
- Tricking Trezor into running unsigned firmware without warning.
- XSS or CSRF on suite.trezor.io or trezor.io.
- Obtaining user information from the Trezor Suite backends.
Please, do not report
- Vulnerabilities on sites hosted by third parties (Medium, Twitter, Facebook, CloudFlare, etc.)
- Denial of Service attacks
To report a security vulnerability, please contact our Security Team directly with the following information:
- Code: A proof of concept demonstrating the issue.
- Detailed description: A thorough explanation of the bug and its potential impact.
- Your name/nickname and attribution link (optional): To be included on our list of past issues
- Bitcoin address: Where you would like to receive your bounty payment.
Use both of the following PGP keys when submitting sensitive information
Send it to the following email address: [email protected].
Thank you for helping us keep our products and services secure for all users!
If you require further assistance, please contact us via our
chatbot Hal who will help resolve your issue.