Reporting security vulnerabilities

Modified on Thu, 27 Jun 2019 at 11:22 AM

BC Vault Bounty Program


BC Vault crypto wallet ships with a Bounty Wallet containing 1 BTC. If you gain access to this wallet, you are free to do whatever you want with the funds! We would certainly be glad to hear from you! :)


Other than the bounty wallet, you may find other security vulnerabilities. We are committed to provide the best possible service and product to you, but there is no 100% guarantee in the world of hardware and software – thus this bounty program.


If you think you have found a security vulnerability, please follow these steps to guarantee that no legal action will be taken against you. Quite the opposite, we will be very thankful and if a security issue is confirmed from our side and designated as severe, a bounty will be paid:


  • Open a ticket with the subject as “I think I found security vulnerability” here: https://support.bc-vault.com/support/tickets/new
  • Include just basic information about the issue (no details please)
  • You will be contacted by support with additional details and a PGP key for further communication
  • Only after receiving PGP key should you send all the details of the vulnerability with proof of concept
  • Wait for our feedback regarding your reported security vulnerability
  • We will agree on further steps such as a timeline for fixing the vulnerability, writing a common statement and ultimately publishing the statement and giving you the full credit (if the vulnerability is confirmed and deemed severe).
  • Some vulnerabilities can be purely theoretical or totally unpractical in a normal usage scenario and we might fix them anyway, even if the bounty will not be paid.
  • Bounty will be paid at our discretion, but do not worry, we will treat you fair.


The ultimate goal of any security vulnerability should be exposure of the wallet’s private key, tricking BC Vault into signing a different transaction than user ultimately wanted or any similar issue that threatens the funds of the user.


Additionally, we will not be paying out a bug bounty reward for supply chain attacks or attacks which require physically opening the device before or during normal use. Some of these we believe cannot be sufficiently countered, and that no other hardware wallets effectively mitigate.


Connecting tons of equipment (such as an oscilloscope) with wires hanging out of the device and asking the user to enter their PIN and then claiming that you “intercepted” it is not deemed a vulnerability. It’s easier to simply connect wires directly to the directional DPAD switches and read the contacts. :)


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article