Security portal
Because your security is never optional.
Join the Trezor bugbounty program
Help us secure the future of self-custody. Report vulnerabilities. Earn rewards. Follow these rules:
Act in good faith to protect user and company data.
Give us time to fix the issue before you disclose it publicly.
Avoid any fraud or harm during your research.
Relevant topics
Trezor devices and firmware
- Seed extraction or injection
- PIN bypass
- Bypassing user confirmation
- Private key extraction
- Physical and supply chain attacks
This category is the most important, since Trezor is the ultimate security point in our threat model.
Trezor Suite app and Trezor Connect
- Cross-site scripting (XSS)
- Third-party libraries and supply chain attacks
- Vulnerabilities in trading or staking sections
Blockbook and other backend infrastructure
- Blockbook server exploitation
- Backend infrastructure misconfigurations
Trezor.io
- Cross-site scripting (XSS)
- Third-party libraries and supply chain attacks
- Broken access control
- Sensitive data exposure
- SQL injection
- Server misconfiguration
- Payment & order tampering
Any other issues not listed above and not excluded in the full terms.
More details in full termsReward structure
Vulnerability class
Reward
Low
$0 – $2 000
Medium
$250 – $5 000
High
$500 – $10 000
Critical
$1,000 – $100,000*
Reward depends on the product affected and its severity. We reserve the right to determine severity and report eligibility.
*In exceptionally disastrous cases, there is no upper limit.
More details in full termsHow to report
Contact us at [email protected] and include the following:
- Code – A proof of concept that demonstrates the issue.
- Description – A thorough explanation of the bug and its potential impact.
- Name or nickname (optional) – To be listed among previous issues.
If you consider this a sensitive matter, we'll give you instructions on how to set up a Signal encrypted channel.
Full terms
We reserve the right to assess the severity and eligibility of reports.
Resolved vulnerabilities
Reported by the community. Investigated. Resolved. Because your security is never optional.
- Inability to cancel certain flows on pre-production firmwareOctober 31, 2025
- Fix side-channel in BIP-39 mnemonic processing when unlockedSeptember 24, 2025
- Donjon's Trezor Safe 3 evaluationNovember 12, 2024
- Missing confirmation in the ECDHSessionKey callNovember 26, 2023
- XSS in Trezor Connect legacy versionsFebruary 7, 2023
- Insufficient field size check in ProtobufJuly 12, 2021