All articles

Bug Bounty Program Terms

At Trezor, transparency and security are our top priorities. Our source code is publicly available, having undergone audits by independent security researchers for many years. By embracing open-source principles and actively collaborating with our community, we continually strengthen the safeguards protecting Trezor devices, software, and infrastructure.

If you believe you’ve discovered a vulnerability that could significantly affect Trezor devices, software, or infrastructure, please report it to [email protected]. Our Security Team will verify the issue, work with you on a fix, and reward the first valid submission.

Table of Contents

Scope
Out-of-Scope Issues
Responsible Disclosure Guidelines

Scope

Our Bug Bounty Program covers our hardware, software, and related infrastructure. We are particularly interested in vulnerabilities that could potentially allow attackers to compromise the security of crypto assets managed by Trezor devices.

Trezor device and its firmware
Trezor Suite and Trezor Connect
Blockbook and related infrastructure
Trezor.io e-shop
Other websites running at trezor.io operated by us

Trezor devices and firmware

This category includes vulnerabilities specifically related to Trezor hardware devices, firmware, physical device security, and device-level supply chain integrity. This category is by far the most important to us as Trezor is after all the ultimate point of security in our threat model.

Firmware vulnerabilities: Unauthorized seed extraction or injection, PIN bypass, arbitrary code execution without firmware warning, private key extraction, bypass of user transaction confirmation, theft of crypto assets, loss of plausible deniability, privacy compromise, bricking of device remotely.
Local physical attacks: Non-invasive exploits, invasive exploits without noticeable tampering ("Evil Maid" attacks), invasive exploits with noticeable tampering (e.g., chip decapping).
Supply chain attacks: Physical or software tampering with Trezor hardware devices or accessories before reaching the user.
Bricking of Trezor device: Remote exploits that render Trezor device permanently unusable.

Rewards

Hardware and firmware vulnerabilities are the most important to us. When discussing their severity we always take scalability into account as a very important aspect. Vulnerability that may not lead to coin loss directly but scales very well and somehow decreases the product’s security can be more critical than difficult to scale hardware attack where Trezor needs to be in a physical possession.

Vulnerability Class	Reward Range
Low	$0 – $2,000
Medium	$250 – $5,000
High	$500 – $10,000
Critical	$10,000 – $100,000*

Trezor Suite and Trezor Connect

This section covers vulnerabilities affecting Trezor Suite, Trezor Connect (same repository as Suite) and any related JavaScript libraries and software components.

Cross-site scripting (XSS): Injection of malicious scripts into Trezor Suite or Trezor Connect.
Third-party library and supply chain vulnerabilities: Malicious modifications or vulnerabilities in third-party JavaScript libraries and dependencies integrated into Trezor Suite with clear impact on the product’s security.
Modifications of data sent to or received from Trezor: Any vulnerabilities that can lead to modification of data (e.g. transactions and addresses) sent to or received from Trezor. Please note that in our threat model we assume the host can be fully malicious and transactions need to be confirmed on Trezor’s display. Any vulnerabilities in Suite will be treated with that in mind.
Bypassing the Suite authentication checks: New exploits that highlight the limitations or demonstrate methods of circumventing Trezor Suite’s recommended authentication checks in the Trezor Safe series. We are particularly interested in clever or novel attacks.
Vulnerabilities in our trading section: Any exploits or security issues in our buy/sell/swap interfaces and staking offerings including its backend implementations operated by us.

Rewards

Trezor device operates with the assumption that the host can be fully malicious. We still take these issues seriously but our threat model is different from what it is usually to other software wallets. That’s why our potential rewards might be lower than SW wallets as in their case this can lead to theft. In our case, we always have the Trezor device as the ultimate protection.

Vulnerability Class	Reward Range
Low	$0 – $500
Medium	$500 – $1,000
High	$1,000 – $5,000
Critical	$5,000 – $20,000

Blockbook and other backend infrastructure

This category includes vulnerabilities in the Blockbook servers and other backend infrastructure critical to the Trezor ecosystem.

Blockbook server exploitation: Unauthorized access or privilege escalation on Blockbook servers, remote code execution vulnerabilities specifically targeting Blockbook servers, misconfigurations (e.g., Nginx server misconfigurations) allowing unauthorized access to internal resources or unintended actions.
Backend infrastructure misconfigurations: Firewall misconfigurations or significant backend server settings issues exposing internal services beyond intended restrictions, proven vulnerabilities enabling unauthorized access or remote code execution via endpoints.

##### Rewards

As we do not store any users’ data (except for logs for very limited time), any potential backend exploits can’t really interfere with users' funds.

Vulnerability Class	Reward Range
Low	$0 – $500
Medium	$500 – $1,000
High	$1,000 – $5,000
Critical	$5,000 – $10,000

Trezor.io

Issues related to our e-commerce solution located at trezor.io.

Cross-site scripting (XSS): Injection of malicious scripts into Trezor.io.
Third-party library and supply chain vulnerabilities: Malicious modifications or vulnerabilities in third-party JavaScript libraries and dependencies integrated into Trezor.io that can lead to provable security exploits.
Broken Access Control: Any attacks that enable an attacker to access the administration interface.
Sensitive Data Exposure: Leakage of any personal information, sensitive API keys or credentials.
SQL Injection: SQL injection flaws that allow attackers to obtain sensitive data.
Server misconfiguration: Misconfigurations allowing unauthorized access to internal resources or unintended actions. For example nginx or Cloudflare misconfigurations. Please also see the “out of scope” section below.
Payment & Order Tampering: Price manipulation, discount/coupon abuse or free product through cart/request tampering. Any abuse of loyalty programs, gift cards, or referral schemes or any checkout anomalies.

Rewards

Vulnerability Class	Reward Range
Low	$0 – $500
Medium	$500 – $1,000
High	$1,000 – $5,000
Critical	$5,000 – $50,000

Other

Any other issues that are not listed above and at the same time not excluded below. Usually these are websites running at *.trezor.io operated by us.

Out-of-Scope Issues

The following types of issues are not considered in scope for reporting:

Clickjacking & Tabnabbing: Techniques that rely solely on deceptive interfaces or redirects, without posing a direct security impact on the Trezor device.
Phishing or social engineering attacks: Attacks that rely on deceiving users, without exploiting technical vulnerabilities. While these are out of scope for the bug bounty program, we still encourage and appreciate reports of phishing or fraudulent websites to help protect the community.
Missing security headers without proof of concept: Reports of missing HTTP security headers unless accompanied by a working, exploitable proof of concept.
Reports from automated vulnerability scanners: Automated reports without manual verification or demonstrated exploitability.
Insecure SSL/TLS cipher suites unless exploitable: Reports of weak SSL/TLS configurations unless they have a proven security impact.
Outdated libraries without major vulnerabilities: Reports of outdated dependencies unless they are linked to significant, exploitable vulnerabilities.

Responsible Disclosure Guidelines

By submitting a vulnerability, you agree to provide us time to diagnose and resolve the issue before sharing details with third parties or the public.

Reporting Rules

Use exploits solely to verify the existence of vulnerabilities.
Vulnerabilities must demonstrate clear exploitability and practical impact to be eligible for rewards.
Non-exploitable theoretical vulnerabilities or routine scanning results without demonstrated practical impact are not eligible for rewards.
When submitting a vulnerability report, you agree to allow us the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties or the public. We will coordinate the disclosure together.
Do not engage in testing that degrades our systems or impacts users, results in unauthorized access, storage, sharing, or destruction of data, involves social engineering or spam.
Do not exploit vulnerabilities beyond what is necessary to confirm their existence.
Avoid phishing and social engineering of our employees or collaborators.

Rewards

You may be eligible for a reward for reporting a vulnerability if the following conditions are met:

You are the first person to report the vulnerability.
The vulnerability is confirmed by the security team.
You have complied with the rules outlined above.

Rewards will be paid directly to the researcher in Bitcoin, based on the USD/BTC exchange rate at the time of payment. To receive the reward, you must provide a valid Lightning Network (LN) invoice or Bitcoin address after we confirm the vulnerability. We will notify you when it’s time to submit your invoice. In some special circumstances we may consider paying out in EUR if requested.

Reward Amounts

Possible rewards are noted above in each section. The reward amount is determined by:

Severity classification
The impact on crypto assets managed by Trezor.
The completeness of your report.

Please note that our main interest is in attacks lowering the security of the Trezor device itself. Other vulnerabilities are therefore treated as lower impact. The final reward amount is determined solely by Trezor.

Submission Process

To report a vulnerability, please email us at [email protected]. In case you consider this a sensitive manner we will provide instructions on how to set up a Signal encrypted channel.

Report Requirement

Include:

A detailed description of the vulnerability and its potential impact.
Clear steps to reproduce the issue (proof-of-concept scripts or screenshots recommended).
An explanation of how it affects crypto assets managed by Trezor.
English language reports are required.

Communication

All further communications, including any exchange of sensitive information, should occur through [email protected]. If enhanced security is needed, we agree on a more secure channel, typically a Signal group chat.

Remediation & Disclosure

We will verify and prioritize your report, then work to remediate the vulnerability promptly. We will keep you informed of progress. Refrain from public disclosure until the issue is fully resolved.

Acknowledgment Program

With your consent, we will display your name or pseudonym as the discoverer of the reported vulnerability on our website’s acknowledgment page. If desired, we can also include an optional attribution link.

;