Bug Bounty Program

Help us improve the security of Gentwall and earn rewards for your contributions

Secure Gentwall, Earn Rewards

Join our bug bounty program and help us maintain the highest security standards for our hardware wallet users.

Up to $50,000
Maximum reward for critical vulnerabilities

Program Overview

Important: Gentwall is a hardware device designed to securely store private keys for cryptocurrencies. We do not offer exchange, trading, or custodial services.

Our bug bounty program is designed to encourage security researchers to responsibly disclose vulnerabilities in our hardware wallet products, firmware, software applications, and web infrastructure.

We believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in our products and services. If you believe you've found a security vulnerability, we want to hear from you.

Scope

Our bug bounty program covers the following areas:

  • Hardware Wallet Firmware: Security vulnerabilities in device firmware
  • Desktop Applications: Gentwall companion software for Windows, macOS, and Linux
  • Mobile Applications: iOS and Android companion apps
  • Web Infrastructure: Our official website and web services
  • Hardware Security: Physical attack vectors on the device
  • Cryptographic Implementation: Issues with cryptographic protocols

Reward Structure

Rewards are determined based on the severity and impact of the reported vulnerability:

Severity Level Description Reward Range
Critical Remote code execution, private key extraction, fund theft $20,000 - $50,000
High Privilege escalation, authentication bypass, data exposure $5,000 - $20,000
Medium Information disclosure, denial of service, logic flaws $1,000 - $5,000
Low Minor security issues, configuration problems $100 - $1,000

Vulnerability Categories

We are particularly interested in the following types of vulnerabilities:

  • Private Key Extraction: Methods to extract private keys from the device
  • Firmware Vulnerabilities: Exploits in device firmware or bootloader
  • Side-Channel Attacks: Power analysis, timing attacks, electromagnetic attacks
  • Supply Chain Attacks: Vulnerabilities in the manufacturing or distribution process
  • Cryptographic Flaws: Weaknesses in cryptographic implementations
  • Physical Attacks: Hardware tampering or extraction methods
  • Software Vulnerabilities: Exploits in companion applications
  • Web Application Security: XSS, CSRF, injection attacks on our website

Rules and Guidelines

To be eligible for our bug bounty program, please follow these guidelines:

  1. Responsible Disclosure: Report vulnerabilities privately to our security team
  2. No Public Disclosure: Do not publicly disclose vulnerabilities before we've had time to fix them
  3. No Destructive Testing: Do not attempt to access, modify, or delete user data
  4. Legal Compliance: Ensure your testing complies with applicable laws
  5. Single Submission: Submit each vulnerability only once
  6. Detailed Reports: Provide clear steps to reproduce the vulnerability
  7. Good Faith: Act in good faith and avoid violating user privacy

Out of Scope

The following are not eligible for rewards:

  • Social engineering attacks against our employees or customers
  • Physical attacks requiring extraordinary access to devices
  • Vulnerabilities in third-party software or services we don't control
  • Issues that require user interaction with obviously malicious content
  • Denial of service attacks
  • Spam or content injection without security impact
  • Issues that have already been reported or are publicly known
  • Vulnerabilities found through automated scanning tools without manual verification

Submission Process

To submit a vulnerability report, please follow these steps:

  1. Use the submission form below or email us at security@gentwall.com
  2. Include a detailed description of the vulnerability
  3. Provide clear steps to reproduce the issue
  4. Include proof-of-concept code or screenshots if applicable
  5. Specify the affected product version or service
  6. Include your contact information for follow-up questions

Encrypted Submissions: For highly sensitive vulnerabilities, please encrypt your report using our PGP key available on request.

Response Timeline

We commit to the following response times:

  • Initial Response: Within 24 hours of submission
  • Triage and Assessment: Within 5 business days
  • Status Updates: Every 7 days until resolution
  • Fix Development: Varies based on complexity and severity
  • Reward Payment: Within 30 days of validated fix

Submit a Vulnerability

Contact Information

For questions about our bug bounty program or to submit reports:

  • Security Email: security@gentwall.com
  • General Contact: contact@gentwall.com
  • Phone: +1 (646) 406-6829
  • Address: One Vanderbilt Ave. 65th Fl, New York, NY 10017, United States