Security Disclosure Policy

Last updated: December 2024

Security Vulnerability Found?

If you've discovered a security vulnerability, please report it immediately using our secure channels below. Do not disclose publicly until we've had time to investigate and address the issue.

Report Vulnerability

Our Commitment to Security

Security is paramount in everything we do. We are committed to maintaining the highest security standards for our hardware wallets and associated software. We work with security researchers worldwide to identify and address potential vulnerabilities.

Responsible Disclosure

We believe in responsible disclosure and ask security researchers to follow these guidelines:

  • Report vulnerabilities privately before public disclosure
  • Provide detailed information to help us reproduce and fix the issue
  • Allow reasonable time for investigation and remediation
  • Avoid accessing or modifying data that doesn't belong to you
  • Do not perform testing that could harm our systems or users

Scope of Security Research

In Scope

  • • Hardware wallet firmware and security features
  • • Secure element implementation and cryptographic functions
  • • Companion software and mobile applications
  • • Website security and data protection
  • • Supply chain and manufacturing security
  • • Physical device security and tamper resistance

Out of Scope

  • • Social engineering attacks against employees
  • • Physical attacks requiring specialized equipment
  • • Denial of service attacks
  • • Issues in third-party integrations we don't control
  • • Theoretical vulnerabilities without practical impact

How to Report

Email Report

Send detailed information to:

security@defillama-eu.com

Use PGP encryption for sensitive reports. Public key available on request.

Bug Bounty Platform

Submit through our partner platform:

hackerone.com/defillama-eu

Managed bug bounty program with rewards for eligible vulnerabilities.

What to Include in Your Report

To help us quickly understand and address the issue, please include:

  • Description: Clear explanation of the vulnerability
  • Impact: Potential consequences and affected systems
  • Reproduction: Step-by-step instructions to reproduce
  • Evidence: Screenshots, videos, or proof-of-concept code
  • Environment: Device models, firmware versions, software versions
  • Timeline: When you discovered the issue

Our Response Process

1

Acknowledgment (24-48 hours)

We'll confirm receipt of your report and assign a tracking number.

2

Initial Assessment (3-5 days)

Our security team will validate and prioritize the vulnerability.

3

Investigation & Fix (varies)

We'll work on a fix while keeping you updated on progress.

4

Resolution & Disclosure

After fixing, we'll coordinate public disclosure and recognition.

Bug Bounty Rewards

We offer monetary rewards for qualifying vulnerability reports based on severity and impact:

Critical

$5,000+

Device compromise, key extraction

High

$1,000+

Authentication bypass, data exposure

Medium

$500+

Information disclosure, DoS

Low

$100+

Minor security issues

Recognition

We maintain a public hall of fame recognizing security researchers who have responsibly disclosed vulnerabilities. With your permission, we'll include your name and the issue you reported (after it's fixed).

Legal Safe Harbor

We will not pursue legal action against researchers who:

  • Follow responsible disclosure practices
  • Act in good faith and avoid privacy violations
  • Don't access or modify data belonging to others
  • Don't perform destructive testing
  • Comply with applicable laws and regulations

Contact Information

Security Team

security@defillama-eu.com
PGP: Available on request

Emergency Contact

For critical issues: +1 (555) 999-SECURITY
24/7 security hotline