All articles

How to report a security issue

At SatoshiLabs and Trezor, the safety of our products and services is a top priority. If you have identified a security vulnerability, we would greatly appreciate your assistance in disclosing it to us in a responsible manner.

As a way to engage with security researchers and hackers, we offer a bug bounty program. The process is straightforward: simply report any vulnerabilities you discover through responsible disclosure. Once they are confirmed, we will publicly recognize your contribution by including your details on our list of past issues and rewarding you with a bounty paid in bitcoin.

 

Requirements

In order to participate in our bug bounty program, we ask that researchers adhere to the following guidelines:

 

  • Act in good faith and make every effort to protect user and company data from leakage or destruction.
  • Give us a reasonable amount of time to fix any issues before they are made public.
  • Do not defraud our users or us during the discovery process.

 

We will not take legal action against researchers who report problems, as long as they do thier best to adhere to these guidelines.

However, we reserve the right to determine if a reported bug is legitimate and severe enough to warrant a bounty.

In addition, we may proactively close potential security vulnerabilities in our software, even if they are not currently being exploited. This means that we may make changes to our code in response to a report, even if the issue cannot be used to launch an attack. While we do not offer bounties for purely theoretical vulnerabilities, we reserve the right to patch them anyway. To prove that an issue is a genuine vulnerability, we require a working exploit demonstration.


Relevant topics

  1. Private key extraction from Trezor.
  2. Tricking Trezor into confirming an action without user interaction.
  3. Bypassing PIN/passphrase protections of Trezor.
  4. Tricking Trezor into running unsigned firmware without warning.
  5. XSS or CSRF on  suite.trezor.io or  trezor.io.
  6. Obtaining user information from the Trezor Suite backends.
 

Please, do not report

  • Vulnerabilities on sites hosted by third parties (Medium, Twitter, Facebook, CloudFlare, etc.)
  • Denial of Service attacks

To report a security vulnerability, please contact our Security Team directly with the following information:
  • Code: A proof of concept demonstrating the issue.
  • Detailed description: A thorough explanation of the bug and its potential impact.
  • Your name/nickname and attribution link (optional): To be included on our list of past issues 
  • Bitcoin address: Where you would like to receive your bounty payment.
 

Contact us at the following email address: [email protected]. In case you consider this a sensitive manner we will provide instructions how to set up a Signal encrypted channel.



Thank you for helping us keep our products and services secure for all users!
 
If you require further assistance, please contact us via our chatbot Hal who will help resolve your issue.