Bug bounty policy

Updated 31 May 2022

At Shift Crypto, we strive towards excellence when it comes to the security and privacy of our products and believe that an open architecture is vital to keep our users safe. However, even in time-proven security architectures, vulnerabilities can be found. This is why our code is open source. In the case you find a vulnerability, we would like to ask you to follow our bug bounty program for responsible disclosure.

Hall of thanks

We are thankful to the researchers who work with us to help keep users safe. We wish to acknowledge those who have contacted us and coordinated the release of their research. At their discretion, contributions are attributed on our hall of thanks page. We also understand that anonymity may be an important concern to the researcher and are prepared to protect their identity.

Preamble

Respect and appreciation of the effort, time and skills of independent security researchers is important to Shift Crypto. We enable researchers in their work to help us equip users with safe products by establishing responsible disclosure guidelines and a bug bounty program. We understand that researchers are free to choose their work’s focus as well as when and to whom they disclose their findings. When a vulnerability is found, we recommend you follow our guidelines below.

  1. Information that significantly helps improve our security will be rewarded. This includes user and customer privacy. The main areas are:
    • Official code implementations in production that we maintain and make available at the BitBox GitHub repository.
    • All Shift Crypto hardware.
  2. Keep lines of communication open
    • Additional information is needed and we want to ensure that we give your research proper attribution.
  3. Do not at any time:
    • Actively exploit or commit a Denial of Service against us or other user's wallets and nodes where the software connects.
    • Socially engineer our company, those who contact us, and users of our products.
    • Enact any physical or electronic attack against company property.
    • Release user data.
    • Release any private data related to Shift Crypto.
  4. If applicable, the bounty will be granted after the Incident Response is successfully completed and the relevant software fixes have been released.
  5. Issues that have been publicly reported or were known by Shift prior to your disclosure are not applicable for the bug bounty program.
  6. Website vulnerabilities are not part of the bug bounty program.
  7. We do not reward bug bounties for vulnerabilities found in third party services. Please report these issues directly to the relevant service.
  8. We typically do not reward bug bounties for products or services that we do not sell or offer yet (such as beta devices) or for products or services that we no longer sell or offer (after their end-of-sale). However, please still submit any vulnerabilities you find. We may consider paying out a reward regardless.

Security response team

The security team may be reached at [email protected] (PGP: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE) for reports and discussion about potential issues.

Incident response

  1. Submit your report via PGP or another end-to-end encrypted communication channel.
  2. We will respond within 3 business days and then make inquiries to satisfy any needed information.
    • Confirm receipt of your contact and triage the reported issues.
    • Follow up with the results of our validation process.
  3. For vulnerabilities or important observations that impact our users, we’ll layout a timeline regarding mitigation and suggestions for coordinated disclosure with you. We will report on progress made and contact you if more time is required.

Post-release disclosure process

  1. At your discretion, we will credit you on our hall of thanks page and in relevant software release notes.
  2. Rewards are based on the severity of the bug and at a level that we feel is reasonable.
  3. If the Incident Response process in section IV is not successfully completed and consensus on a timely disclosure not met, we encourage you to publish your results without us.
  4. We may even invite you for a bite to eat in Switzerland with the team for especially nice cryptographic or elegant code execution attacks. Novel bugs will be rewarded with novel rewards.