A man wearing glasses and wireless earbuds sits at a desk, thoughtfully looking at a computer monitor displaying a Trezor Suite dashboard. He holds a Trezor Save 5 in one hand and rests his chin on the other. The background features neon Bitcoin symbols and a dimly lit room with purple and blue lighting, creating a modern, tech-focused atmosphere.

Security portal

Because your security is never optional.

Join the Trezor bug
bounty program

Help us secure the future of self-custody. Report vulnerabilities. Earn rewards. Follow these rules:
Act in good faith to protect user and company data.
Give us time to fix the issue before disclosing it publicly.
Avoid any fraud or harm during your research.
Relevant topics
Trezor devices and firmware
  • Seed extraction or injection
  • PIN bypass
  • Bypassing user confirmation
  • Private key extraction
  • Physical and supply chain attacks
This category matters most as Trezor is the ultimate point of security in our threat model.
Trezor Suite app and Trezor Connect
  • Cross-site scripting (XSS)
  • Third-party libraries and supply chain attacks
  • Vulnerabilities in trading or staking sections
Blockbook and other backend infrastructure
  • Blockbook server exploitation
  • Backend infrastructure misconfigurations
Trezor.io
  • Cross-site scripting (XSS)
  • Third-party libraries and supply chain attacks
  • Broken access control
  • Sensitive data exposure
  • SQL injection
  • Server misconfiguration
  • Payment & order tampering
Any other issues that are not listed above and at the same time not excluded below. Usually these are websites running at *.trezor.io operated by us.
Please, do not report
  • Vulnerabilities on sites hosted by third parties (Medium, Twitter, Facebook, Cloudflare, etc.)
  • Denial of Service attacks
More details in full terms
Reward structure
Vulnerability class
Reward
Low
$0 – $2 000
Medium
$250 – $5 000
High
$500 – $10 000
Critical
$1 000 – $100 000*
Reward depends on the product it affects and severity. We reserve the right to determine the severity and eligibility of reports.
*In exceptionally disastrous cases, there is no upper limit.
More details in full terms
Full terms
How to report
Contact us at [email protected] and include the following:
  • Code – A proof of concept demonstrating the issue.
  • Description – A thorough explanation of the bug and its potential impact.
  • Name or nickname (optional) – To be included on our list of past issues.
In case you consider this a sensitive matter, we will provide instructions on how to set up a Signal encrypted channel.
Report vulnerability
We reserve the right to determine the severity and eligibility of reports.

Resolved vulnerabilities

Reported by community. Investigated. Resolved. Because your security is never optional.

Inside Trezor security

Scams and phishing
Common tactics scammers use against Trezor users
Secure Elements in Trezor Safe devices
Learn how the Secure Element enhances security
Common security threats
Protect yourself from threats
Security & Safety in Trezor
Explore security features of all Trezor models
Entropy check
Randomness check ensures a secure backup
Trezor Firmware hash check
Ensure your firmware is unmodified and safe
Trezor Safe device authentication check
Check your device is genuine before use