🐛 Bug Bounty Program

Help us secure the future of cryptocurrency storage. Find vulnerabilities, earn rewards.

$500K+
Total Rewards Paid
150+
Bugs Fixed
$50K
Max Reward
Low Severity
$500 - $1,000

Minor bugs with limited impact on security or functionality

Medium Severity
$1,000 - $5,000

Moderate vulnerabilities that could affect user experience or data

High Severity
$5,000 - $20,000

Serious vulnerabilities that could compromise device security

Critical Severity
$20,000 - $50,000

Critical vulnerabilities that could lead to key extraction or loss of funds

Program Scope

What's eligible for our bug bounty program

In Scope

  • Hardware wallet firmware vulnerabilities
  • Secure element exploits
  • Private key extraction methods
  • PIN bypass vulnerabilities
  • Side-channel attacks
  • Companion software vulnerabilities
  • Communication protocol flaws
  • Recovery process vulnerabilities

Out of Scope

  • Physical damage or destruction of device
  • Social engineering attacks
  • Denial of Service (DoS) attacks
  • Third-party application vulnerabilities
  • Already known or reported issues
  • Theoretical vulnerabilities without proof
  • Spam or automated scanning
  • UI/UX improvements or feature requests

Submission Process

How to report vulnerabilities and claim your reward

1

Discover & Document

Find a vulnerability and document it thoroughly with proof of concept, steps to reproduce, and potential impact assessment.

2

Submit Report

Submit your detailed report through our secure submission portal or encrypted email with all necessary documentation.

3

Initial Review

Our security team reviews your submission within 48 hours and provides initial feedback and severity assessment.

4

Validation

We validate and reproduce the vulnerability in our testing environment, working with you if additional information is needed.

5

Reward & Fix

Receive your bounty reward and recognition while we develop and deploy a fix for the vulnerability.

Program Rules

Guidelines for responsible disclosure and participation

🔒
Responsible Disclosure

Do not publicly disclose vulnerabilities until we've released a fix and notified users.

📝
Clear Documentation

Provide detailed steps to reproduce, including environment, tools, and configuration.

🚫
No Harm Policy

Testing must not harm other users, compromise data, or disrupt our services.

🎯
First Reporter

Rewards go to the first person to report a unique, previously unknown vulnerability.

⚖️
Legal Compliance

All testing must comply with applicable laws and regulations in your jurisdiction.

🤝
Good Faith

Act in good faith to avoid privacy violations and destruction of data or equipment.

🏆 Hall of Fame

Recognizing our top security researchers

AK

Alex Kumar

Critical vulnerability in firmware v2.1

12
Bugs Found
SC

Sarah Chen

Side-channel attack discovery

8
Bugs Found
MR

Marcus Rodriguez

PIN bypass vulnerability

6
Bugs Found

Ready to Submit?

Help us build the most secure hardware wallet in the world

Submit Vulnerability

For encrypted submissions, use our PGP key available on our website
Email: contact@lumpaxwallet.co.com | Subject: Bug Bounty Submission