Bug Bounty Program
Last updated: April 2nd, 2021
Introduction
The Keystone Bug Bounty Program is designed to encourage security research in Keystone hardware and software to award them for their invaluable contribution to the security of all Keystone users.
Eligibility
To be eligible for a reward under this program, the security vulnerability must meet these general requirements:
- The security vulnerability must be original and previously unreported.
- The security vulnerability must be a part of Keystone’s code, not the code of a third party.
- You must not be an employee, contractor, or otherwise have a business relationship with the Keystone company or any of its subsidiaries.
- You must not exploit the security vulnerability for your own gain. Before publishing any part of the security issue, you must give us a reasonable amount of time to fix the issue.
Keystone reserves the right to decide if the vulnerability is real and serious enough to receive any bounty.
Examples of the security vulnerabilities that are in-scope:
- Bypass of the password, or similar
- Arbitrary code execution on the SE
- Arbitrary code execution on the MCU (without physical access)
- Bypass of user confirmation or mislead the user into approving a transaction
- Leak of private key material.
- Remote code execution.
Examples of the security vulnerabilities that are out-of-scope:
- Vulnerabilities in third party applications, sites or services
- Vulnerabilities without supporting evidence, such as working proofs of concept, reproduction cases, debug output or output from a tool
- Vulnerabilities on our web sites (unless they lead to a vulnerability in our hardware or software products)
- SPF/DMARC records related
- Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)
- Denial of service attacks
- Spamming
- Clickjacking
Responsible Disclosure Policy
Keystone strongly supports security research into our products and wants to encourage that research.
As a result, we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with this Bug Bounty Program, or for any accidental or good faith violation of this policy.
As long as you comply with this policy, we waive any restrictions in our applicable Terms of Service that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.
Submission Process
Please send a PGP encrypted email to security@keyst.one. Please start with a clear text message with your public key, and we'll reply appropriately.
Please include:
- Code which reproduces the issue as a proof of concept.
- Detailed description and potential impact of the vulnerability.
- Your name or twitter handle for attribution (if you want).
We will respond within 5 working days to confirm the receipt of your contact and triage the reported vulnerability. We will also make inquiries for anything unclear about the vulnerability. We will keep you posted for our validation and vulnerability fix process.
For the vulnerability, we’ll lay out a timeline regarding coordinated disclosure with you. We will also contact you if more time is required.
When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Keystone’s prior written approval.
Reward
The decision to grant a reward for the discovery of a valid vulnerability is at Keystone’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your vulnerability report, ease of exploit and overall risk for Keystone’s users and brand.
Bounties will be paid directly to the researcher using bitcoin.
You will be responsible for any tax implications, as determined by the laws of your jurisdiction of residence or citizenship.
We may modify the terms of this program or terminate this program at any time without notice.