Ledger believes in better security through openness.
We follow Kerchoff’s principle, which says that the best security systems (such as private key cryptography) are so good that you can tell people exactly how they work, and it wouldn’t compromise them in any way.
Some parts of our code cannot be published – but that’s not because our security relies on keeping it private. Many of the companies we work with – quite fairly – have certain legal and contractual requirements that prevent us from sharing their intellectual property.
In general, discussing our technology publicly allows people to suggest improvements, making it even better.
We welcome and value reports of technical vulnerabilities that could substantially affect the confidentiality or integrity of user data on Ledger devices.
If you believe that you have discovered such a vulnerability, the Ledger Security Team will work with you to investigate and resolve the issue promptly.
Good faith external contributions that uncover previously unidentified vulnerabilities will be rewarded.
External security researchers are expected to:
Ledger Security Team is expected to:
At Ledger, we believe that Coordinated Vulnerability Disclosure is the right approach to better protect users. When submitting a vulnerability report, you enter a form of cooperation in which you allow Ledger the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties and/or the general public.
In return, Ledger commits that security researchers reporting bugs will be protected from legal liability, so long as they follow responsible disclosure guidelines and principles.
In identifying potential vulnerabilities, we ask that all security researchers stick to the following principles:
Various kinds of security related bugs are eligible for our bounty program. Generally, any information which significantly helps us to improve the security of our products will be eligible for a reward. Bugs concerning User Experience may be rewarded, if they are security related.
While non-exhaustive, research on the following security issues is most likely eligible for a reward:
Some less critical bugs may also be rewarded such as (remotely) crashing the device, unexpected seed erase and anything that denies access to Ledger services.
Web vulnerabilities, unless substantially affecting user data and business operations are not eligible.
The following types of problems are not included in the Bounty Program
Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.
Low quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process, which is in nobody’s interest. Please only submit one report per issue.
All communications between you and Ledger should go through [email protected]. Please make sure to request a GPG key before you submit any vulnerability information and any other sensitive data.
Do not use personal emails, social media accounts, or other private connections to contact a member of the Ledger Security Team regarding vulnerabilities or any issue related to the Bounty program, unless you have been instructed to do so by Ledger.
The Ledger Security Team will be in touch, usually within 24 hours.
When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Ledger’s prior written approval.
After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information or your qualification for a reward.
Bug reporters allow Ledger the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.
Once the security issue is fixed or mitigated, the Ledger Security Team will contact you. Prior to any public announcement of a vulnerability, and to the extent permitted by the law, we will share the draft description of the vulnerability with you. In case of disagreement, we would explore mediation mechanisms.
You may be eligible to receive a reward if: (i) you are the first person to submit a given vulnerability; (ii) that vulnerability is determined to be a valid security issue by the Ledger Security Team; and (iii) you have complied with the Ledger Bounty program policy and guidelines.
The decision to grant a reward for the discovery of a valid security issue is at Ledger’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your Submission report, ease of exploit and overall risk for Ledger’s users and brand.
Bounties will be paid directly to the researcher using Bitcoin.
You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
To be eligible for a reward, you must not:
In mutual consultation, we can, if you desire, display a researcher’s name or its pseudonym as the discoverer of the reported vulnerability on our website’s « Wall of Fame ».
Ledger reserves the right to remove contribution information of any person that at any time does not comply with the Ledger Bounty program policy and guidelines.
This an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.