Trezor Security: How We Protect Your Crypto Keys

Join the Trezor bug
bounty program

Help us secure the future of self-custody. Report vulnerabilities. Earn rewards. Follow these rules:

Act in good faith to protect user and company data.

Give us time to fix the issue before you disclose it publicly.

Avoid any fraud or harm during your research.

Relevant topics

Trezor devices and firmware

Seed extraction or injection
PIN bypass
Bypassing user confirmation
Private key extraction
Physical and supply chain attacks

This category is the most important, since Trezor is the ultimate security point in our threat model.

Trezor Suite app and Trezor Connect

Cross-site scripting (XSS)
Third-party libraries and supply chain attacks
Vulnerabilities in trading or staking sections

Blockbook and other backend infrastructure

Blockbook server exploitation
Backend infrastructure misconfigurations

Trezor.io

Cross-site scripting (XSS)
Third-party libraries and supply chain attacks
Broken access control
Sensitive data exposure
SQL injection
Server misconfiguration
Payment & order tampering

Any other issues not listed above and not excluded in the full terms.

More details in full terms

Reward structure

Vulnerability class

Reward

Low

$0 – $2 000

Medium

$250 – $5 000

High

$500 – $10 000

Critical

$1,000 – $100,000*

Reward depends on the product affected and its severity. We reserve the right to determine severity and report eligibility.

*In exceptionally disastrous cases, there is no upper limit.

More details in full terms

How to report

Code – A proof of concept that demonstrates the issue.
Description – A thorough explanation of the bug and its potential impact.
Name or nickname (optional) – To be listed among previous issues.

If you consider this a sensitive matter, we'll give you instructions on how to set up a Signal encrypted channel.

Full terms

Report vulnerability

We reserve the right to assess the severity and eligibility of reports.

Resolved vulnerabilities

Reported by the community. Investigated. Resolved. Because your security is never optional.

Inside Trezor security

Scams and phishing

Common tactics scammers use against Trezor users

Security & safety in Trezor

Explore security features of all Trezor models

Trezor Safe device authentication check

Check your device is genuine before use

Join the Trezor bugbounty program

Resolved vulnerabilities

Inside Trezor security

Join the Trezor bug
bounty program