Trezor Security: How We Protect Your Crypto Keys

Join the Trezor bug
bounty program

Help us secure the future of self-custody. Report vulnerabilities. Earn rewards. Follow these rules:

Act in good faith to protect user and company data.

Give us time to fix the issue before disclosing it publicly.

Avoid any fraud or harm during your research.

Relevant topics

Trezor devices and firmware

Seed extraction or injection
PIN bypass
Bypassing user confirmation
Private key extraction
Physical and supply chain attacks

This category matters most as Trezor is the ultimate point of security in our threat model.

Trezor Suite app and Trezor Connect

Cross-site scripting (XSS)
Third-party libraries and supply chain attacks
Vulnerabilities in trading or staking sections

Blockbook and other backend infrastructure

Blockbook server exploitation
Backend infrastructure misconfigurations

Trezor.io

Cross-site scripting (XSS)
Third-party libraries and supply chain attacks
Broken access control
Sensitive data exposure
SQL injection
Server misconfiguration
Payment & order tampering

Any other issues that are not listed above and at the same time not excluded in the full terms.

More details in full terms

Reward structure

Vulnerability class

Reward

Low

$0 – $2 000

Medium

$250 – $5 000

High

$500 – $10 000

Critical

$1 000 – $100 000*

Reward depends on the product it affects and severity. We reserve the right to determine the severity and eligibility of reports.

*In exceptionally disastrous cases, there is no upper limit.

More details in full terms

How to report

Code – A proof of concept demonstrating the issue.
Description – A thorough explanation of the bug and its potential impact.
Name or nickname (optional) – To be included on our list of past issues.

In case you consider this a sensitive matter, we will provide instructions on how to set up a Signal encrypted channel.

Full terms

Report vulnerability

We reserve the right to determine the severity and eligibility of reports.

Resolved vulnerabilities

Reported by community. Investigated. Resolved. Because your security is never optional.

Inside Trezor security

Scams and phishing

Common tactics scammers use against Trezor users

Security & safety in Trezor

Explore security features of all Trezor models

Trezor Safe device authentication check

How Trezor Safe verifies authenticity

Join the Trezor bugbounty program

Resolved vulnerabilities

Inside Trezor security

Join the Trezor bug
bounty program