SatoshiLabs: Security

Responsible Disclosure

We want to keep all our products and services safe for everyone. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner. We provide a bug bounty program to better engage with security researchers and hackers. The idea is simple: you find and report vulnerabilities through responsible disclosure process. After they are confirmed we recognize your effort by putting your name/nick, avatar and link in the table below and reward you a bounty paid in Bitcoins!


We've paid bounties to the following world-class hackers:

  1. anonymous, 40 000 points
  2. Nicolas Bacca, 20 000 points
  3. Jochen Hoenicke, 20 000 points
  4. Luke Jahnke, 1 000 points


We require:

  • reasonable amount of time to fix the issue before you publish it
  • good faith effort to not leak or destroy any user or our data
  • do not defraud our users or us in the process of discovery

We promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines. We reserve the right to decide if the the bug is real and serious enough to receive the bounty. We will also change our software to preemptively close possible security holes, even though we know they are not vulnerabilities at the present time. This means we may change our code in response to a report, even though the issue cannot actually be used as an attack. In other words, we don't pay bounties for unproven, theoretical issues, but we reserve the right to patch them anyway. Show us a working exploit if you want to prove it's a true vulnerability.

For reference, please consider the following list of things we want to know about:

  • private key disclosure from TREZOR
  • tricking TREZOR into confirming action without user interaction
  • bypassing PIN/passphrase protections of TREZOR
  • tricking TREZOR into running unsigned firmware without warning
  • XSS or CSRF on website
  • obtaining user information from myTREZOR backend

In general, these are not too interesting to us:

  • vulnerabilities on sites hosted by third parties ( WordPress, CloudFlare issues, Mailchimp, etc.)
  • denial of service attacks
  • broad classes of possible vulnerabilities which may apply to us, but which you cannot prove actually do apply

How do I disclose my issue?

You can disclose a vulnerability by contacting our security team. Use both of the following PGP keys when posting sensitive information: stick, slush.

Please include:

  • code which reproduces the issue as a proof of concept
  • detailed description and potential impact of your bug
  • your name/nick, avatar and link for attribution on this page (if desired)
  • bitcoin address for your bounty