'%20stroke-width='1.5'/%3e%3cg%20fill='%231be0c6'%3e%3cpath%20d='m32.25%2029h1.5v6h-1.5z'/%3e%3cpath%20d='m36%2033h-6l3%204z'/%3e%3c/g%3e%3c/svg%3e){kind=icon}
'%20stroke-width='1.5'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M35.125%2029H35V27.5H33.5V29H32.5V27.5H31V29H30.5H29V30.5V32.25V33.75V35.5V37H30.5H31V38.5H32.5V37H33.5V38.5H35V37H35.125C36.4367%2037%2037.5%2035.9367%2037.5%2034.625C37.5%2033.9964%2037.2558%2033.4248%2036.8571%2033C37.2558%2032.5752%2037.5%2032.0036%2037.5%2031.375C37.5%2030.0633%2036.4367%2029%2035.125%2029ZM30.5%2030.5H35.125C35.6082%2030.5%2036%2030.8918%2036%2031.375C36%2031.8582%2035.6082%2032.25%2035.125%2032.25H30.5V30.5ZM35.125%2033.75H30.5V35.5H35.125C35.6082%2035.5%2036%2035.1082%2036%2034.625C36%2034.1418%2035.6082%2033.75%2035.125%2033.75Z'%20fill='%231BE0C6'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_11576_70700'%20x1='23'%20y1='33'%20x2='43'%20y2='33'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%231D56F5'/%3e%3cstop%20offset='1'%20stop-color='%2300B3F5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
'%3e%3cpath%20d='m37.5%2019.3118v-2.644l-12.217-5.4178-1.1977.5312v24.7294l1.1977.5312%201.1977-.5311v-11.0169h3.2v-2.4433h-3.2v-8.604l5.7055%202.5191v17.0149l2.3953-1.0623v-14.8949z'/%3e%3cpath%20d='m15.7559%2015.475%203.3901%2011.0263v-12.5297l2.3954-1.0623v22.4732l-2.3954-1.0623v-.1142l-.1253.0386-3.5579-11.5721v10.0143l-2.3954-1.0623v-14.9572z'/%3e%3c/g%3e%3c/svg%3e){kind=icon}
'/%3e%3cpath%20d='M32.5%2034.4883H37.5'%20stroke='%231BE0C6'%20stroke-width='1.5'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_8794_15706'%20x1='27'%20y1='34.2943'%20x2='44.0549'%20y2='34.2943'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%231D56F5'/%3e%3cstop%20offset='1'%20stop-color='%2300B3F5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
'%20stroke-width='1.5'/%3e%3cpath%20d='M31%2031H39'%20stroke='%231BE0C6'%20stroke-width='1.5'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_1223_27506'%20x1='25'%20y1='39.5488'%20x2='37.8691'%20y2='17.1844'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%233165F5'/%3e%3cstop%20offset='1'%20stop-color='%231DBBF5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
'%20stroke-width='1.5'/%3e%3crect%20x='32'%20y='29.75'%20width='1.5'%20height='6'%20fill='%231BE0C6'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_26_143'%20x1='23'%20y1='41.5488'%20x2='35.8691'%20y2='19.1844'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%233165F5'/%3e%3cstop%20offset='1'%20stop-color='%231DBBF5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
'%20stroke-width='1.5'/%3e%3cpath%20d='M35.9611%2028H32.7286L29.9999%2033.76H32.2652L31.3974%2038L35.9999%2032.6323H32.9632L35.9611%2028Z'%20fill='%231BE0C6'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_6189_76518'%20x1='23'%20y1='41.5488'%20x2='35.8691'%20y2='19.1844'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%233165F5'/%3e%3cstop%20offset='1'%20stop-color='%231DBBF5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
Get Started'%20fill='url(%23paint0_linear_26_134)'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_26_134'%20x1='35.2581'%20y1='35.6239'%20x2='35.445'%20y2='33.3493'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%233165F5'/%3e%3cstop%20offset='1'%20stop-color='%231DBBF5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
Tutorials'%20stroke-width='1.5'/%3e%3cpath%20d='M16%2033C16%2033%2018.5%2030%2024%2030C29.5%2030%2032%2033%2032%2033'%20stroke='%231BE0C6'%20stroke-width='1.5'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_3104_84810'%20x1='19'%20y1='26.3658'%20x2='28.5193'%20y2='13.6404'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%233165F5'/%3e%3cstop%20offset='1'%20stop-color='%231DBBF5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
Expert Reviews'%20stroke-width='1.5'/%3e%3crect%20x='27'%20y='33'%20width='6'%20height='1.5'%20fill='%231BE0C6'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_1223_27321'%20x1='17.75'%20y1='37.9878'%20x2='20.3947'%20y2='37.8395'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%233165F5'/%3e%3cstop%20offset='1'%20stop-color='%231DBBF5'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=icon}
Bug Bounty Program
Last updated: May 17th, 2026
Introduction
The Keystone Bug Bounty Program is designed to encourage security research into Keystone hardware and firmware, and to reward researchers for their valuable contributions to the security of all Keystone users.
Eligibility
To be eligible for a reward under this program, the reported security vulnerability must meet the following general requirements:
- The vulnerability must be original and previously unreported.
- The vulnerability must be part of Keystone’s own code and not solely caused by third-party code, applications, services, or websites.
- You must not be an employee, contractor, vendor, or otherwise have a business relationship with Keystone or any of its subsidiaries.
- You must not exploit the vulnerability for personal gain, including unauthorized access, data extraction, asset movement, service disruption, or any other harmful activity.
- Before publicly disclosing any part of the security issue, you must give Keystone a reasonable amount of time to validate, fix, and coordinate disclosure of the issue.
- Keystone reserves the right, at its sole discretion, to determine whether a reported issue is valid, in scope, sufficiently severe, and eligible for a bounty.
In-Scope Vulnerabilities
Examples of vulnerabilities that may be considered in scope include:
- Bypass of password protection, PIN verification, or similar user authentication mechanisms.
- Arbitrary code execution on the Secure Element.
- Arbitrary code execution on the MCU without physical access.
- Bypass of user confirmation, or misleading the user into approving an unintended transaction.
- Leakage or extraction of private key material, seed phrases, or other sensitive cryptographic secrets.
- Remote code execution affecting Keystone hardware, firmware.
Out-of-Scope Vulnerabilities
Examples of vulnerabilities that are out of scope include:
- Vulnerabilities in third-party applications, websites, services, libraries.
- Reports without sufficient supporting evidence, such as a working proof-of-concept project, reproduction steps, debug output, logs, or tool output.
- Vulnerabilities on Keystone websites, unless they directly lead to a vulnerability in Keystone hardware or firmware.
- SPF, DKIM, or DMARC configuration issues.
- Missing CSRF tokens, unless there is evidence of an actual sensitive user action that can be exploited.
- Denial-of-service attacks.
- Spam, phishing, social engineering, or clickjacking-only reports.
- Theoretical attacks without a practical exploitation path.
- Reports that only claim a vulnerability without a clear technical explanation, reproducible evidence, or a working PoC.
Responsible Disclosure Policy
Keystone strongly supports good-faith security research into our products and wants to encourage responsible disclosure.
As a result, Keystone will not threaten or bring legal action against anyone who makes a good-faith effort to comply with this Bug Bounty Program, or for any accidental or good-faith violation of this policy.
As long as you comply with this policy, Keystone waives any restrictions in our applicable Terms of Service that would otherwise prohibit your participation in this program, solely for the limited purpose of conducting authorized security research under this policy.
You must not publicly disclose, share, sell, transfer, or otherwise reveal your findings, exploit details, proof of concept, or the contents of your submission to any third party without Keystone’s prior written approval.
Submission Requirements
All vulnerability submissions must include both:
- A working proof-of-concept project
- A detailed vulnerability report
Reports that do not include both of these items may be rejected as incomplete.
Proof-of-Concept Requirement
Your submission must include a working proof-of-concept project that demonstrates and verifies the claimed vulnerability.
The PoC should be sufficient for Keystone to reproduce the issue in a reasonable testing environment. Where applicable, please include:
- Source code, scripts, test files, or project files required to reproduce the issue.
- Build and run instructions.
- Required dependencies, versions, and environment details.
- Input files, payloads, QR codes, transaction data, or other test materials.
- Expected result and actual result.
- Any logs, screenshots, videos, or debug output that help verify the issue.
A report that only describes a possible issue, without a working PoC project or reliable reproduction method, may not be eligible for a bounty.
Vulnerability Report Requirement
Your vulnerability report must provide a clear and detailed description of the claimed vulnerability.
The report should include, at minimum:
- A clear summary of the vulnerability.
- The affected product, component, firmware version, commit hash, or environment.
- A detailed technical explanation of the root cause.
- Step-by-step reproduction instructions.
- A description of the security impact.
- The attacker model and required conditions for exploitation.
- Whether physical access is required.
- Whether user interaction is required.
- Whether the vulnerability can lead to private key leakage, unauthorized signing, transaction manipulation, authentication bypass, remote code execution, or other security impact.
- Any limitations or assumptions of the PoC.
- Suggested mitigations, if available.
The vulnerability report must explain why the reported behavior is a real security vulnerability, not only unexpected behavior, a crash, or a theoretical concern.
Submission Process
Please send a PGP encrypted email to security@keyst.one.
Please start with a clear-text message containing your public key, and we will reply appropriately.
Your submission should include:
- A working proof-of-concept project that reproduces the issue.
- A detailed vulnerability report describing the claimed vulnerability, root cause, reproduction steps, and potential impact.
- Your name, organization, or Twitter/X handle for attribution, if you would like to be credited.
Keystone will respond within 7 working days to confirm receipt of your initial contact and begin triage of the reported vulnerability.
After our first response, Keystone will respond to subsequent communications regarding the same report no later than 2 working days from receipt, unless both parties agree otherwise or exceptional circumstances apply.
During the validation process, Keystone may ask follow-up questions or request additional information if any part of the vulnerability, PoC, impact, or reproduction process is unclear.
Keystone will keep you informed during the validation, remediation, and coordinated disclosure process.
For valid vulnerabilities, Keystone will work with you to establish a reasonable coordinated disclosure timeline. Keystone may request additional time if more investigation, mitigation, testing, or release coordination is required.
Reward
The decision to grant a reward for a valid vulnerability is at Keystone’s sole discretion.
The amount of each bounty is based on factors including, but not limited to:
- Severity of the vulnerability.
- Classification and sensitivity of the impacted data.
- Practical exploitability.
- Required attacker capabilities.
- Whether physical access is required.
- Whether user interaction is required.
- Impact on user assets, private keys, transaction integrity, or product security.
- Completeness and quality of the vulnerability report.
- Quality and reliability of the working proof-of-concept project.
- Overall risk to Keystone users and the Keystone brand.
Bounties will be paid directly to the researcher using Bitcoin.
You are responsible for any tax implications, as determined by the laws of your jurisdiction of residence or citizenship.
Keystone may modify the terms of this program or terminate this program at any time without prior notice.
'/%3e%3crect%20x='18'%20y='59'%20width='44'%20height='1.5'%20fill='%2383868F'/%3e%3ccircle%20cx='29'%20cy='15'%20r='2'%20fill='%23E0516E'%20fill-opacity='0.24'/%3e%3ccircle%20cx='51'%20cy='15'%20r='2'%20fill='%23E0516E'%20fill-opacity='0.24'/%3e%3c/svg%3e)