Revamping the Ledger Bounty Program

We’ve posted before that Ledger’s approach to security follows Kerchoff’s principle: the best security systems are so good that you can tell people exactly how they work, and that won’t compromise them in any way. In fact, publicly discussing the technology allows people to suggest improvements, making it even better.

This approach is the basis of the Ledger Bounty Program we recently launched, rewarding external security researchers for discovering security bugs and cooperating with us to get them fixed.

The Program has quickly made a positive impact and we are pleased to confirm that Saleem Rashid has received a reward for his two security vulnerabilities found in recent weeks. Joining Saleem as the first awardees of the Program are Timothée Isnard and Sergei Volokitin. We thank all the bounty recipients for helping us improve security for all our users. We explored some of the bugs they identified in detail in a previous post.

Working with the security community in this way is a good example of the intentions behind the scheme: improving our products’ security and minimising harm to users and the ecosystem by bringing practices from the open source community to bear on our secure hardware.

Updating the Program

While a successful bounty program often starts with the ingenuity of external security researchers, it also relies on the professionalism of contributors to work with our security team to fix the issues identified and then disclose them responsibly. We are pleased the Program has started in this way.

Just as we work to continually improve security of our products, we will also keep the Bug Bounty Program updated to ensure it’s working as effectively as it can for us and for the external security researchers we work with.

As the Program is fairly new, we’ve already been able to identify some areas we can improve. So today we’re making some changes. The intention of the Program remains the same as before, but we’re adding some clarification on what you can expect from us (including in terms of how we communicate with researchers), what we expect of you, and the kinds of bugs that we especially welcome submissions on.

In addition to providing more details about how the Program works, we’re also updating our own processes to make sure we handle submissions and communicate with researchers as well as we can.

You can find the updated Program policy here.

Our Commitment

It’s worth looking at the responsible disclosure principles in the updated Program especially:

External security researchers are expected to:

Respect and operate within the disclosure guidelines and rules set out by the Ledger Security Team.

Accept that submissions outside of the eligibility scope may not be investigated.

Respect data protection principles and users’ privacy. Make a good faith effort not to access or destroy another user’s data.

Be patient. Make a good faith effort to clarify issues and support the Ledger Security team’s, efforts upon request.

Do no harm: report found vulnerabilities promptly. Never willfully exploit them without permission.

Ledger’s Security Team is expected to:

Prioritize security. Make a good faith effort to resolve reported security issues in a prompt and transparent manner.

Reward relevant and good faith research.

Give bounty recipients public recognition for their contributions when mutually agreed.

Do no harm: Not take unreasonable punitive actions against researchers, like making legal threats or referring matters to law enforcement.

We hope that with the new detail provided in the Program security researchers will have a clear idea of how they can help us improve our products, and how we’ll work with them to address bugs identified and reward them for their efforts.

We appreciate the help and cooperation we’ve received through the Bounty Program so far, and we welcome further submissions of security related bugs. Please take a look through the updated Program terms and, if you discover a bug, follow the submission process contained within.

Charles Guillemet, Chief Security Officer