Vault12 Bug Bounty Program
|Vault12 iOS app||$10,000||$2,000||$500||$250|
|Vault12 Android app||$10,000||$2,000||$500||$250|
|True Entropy iOS App||$2,500||$1,000||$500||$250|
Rewards are payable in USD, BTC, or ETH.
Vault12 actively works with security researchers to help keep our products secure and our users safe. In the event that you find a security vulnerability, we ask that you promptly report the vulnerability to us via the “Submit Report” button on this page.
Please do not discuss any vulnerabilities (even those that were resolved) outside of this program without the express written consent from Vault12. In the event that Vault12 confirms a security vulnerability that you have reported to us, Vault12 will provide you with the option of being publicly recognized as having identified a security issue in our products in addition to the bounty reward.
Whitehat Safe Harbor
Vault12 will not initiate legal action against you for any research conducted consistent with our policies posted on this page, including good faith, accidental violations. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with the policies posted on this page.
Valid reports are any in-scope report that clearly demonstrates a software vulnerability that could be used to compromise the privacy or data of Vault12 or Vault12 users. Vault12 will determine in its sole discretion whether a report meets the criteria of our policies as well as the amount of any reward.
During your research, please adhere to the following guidelines:
- Do not access or destroy another user’s data, including any of Vault12’s data.
- Please provide detailed steps to reproduce the vulnerability, including any tools required.
- Social engineering (e.g. phishing) is strictly prohibited.
- Only interact with accounts and devices that you own or with which you have secured the explicit permission of the owner.
- Do not disclose any security vulnerabilities to any other party without the express written permission of Vault12.
Failure to adhere to any of these guidelines will result in your report being ineligible for a reward.
In the event we receive duplicate reports for a given security vulnerability, only the first report shall be eligible for a reward. In addition, if multiple vulnerabilities are caused by a single underlying vulnerability and those vulnerabilities are reported in separate reports then only the first report shall be eligible for a reward.
Vault12 makes every effort to respond quickly to security vulnerability reports and will keep you updated throughout our process. As the severity and complexity of security vulnerabilities can vary, so will our time to resolve the vulnerability. In the event that more than 30 days has passed without Vault12 providing you with an update, please contact us directly by emailing: [email protected]
Lastly, we reserve the right to modify or cancel our Bug Bounty Program at any time.
- Domain: vault12.com
- Domain: vault12.io
- Domain: ticket1.vault12.com
- Domain: z.vault12.com
- Domain: pay.vault12.com
- iOS App: https://apps.apple.com/app/vault12-crypto-security/id1451596986
- iOS App: https://apps.apple.com/us/app/trueentropy/id1299321174
- Android App: https://play.google.com/store/apps/details?id=com.vault12.vault12
Out of Scope
- Domain: blog.vault12.com
- Domain: eth.vault12.com
- Domain: help.vault12.com
- Domain: vote.vault12.com
- Domain: medium.com/vault12
- Any other service owned/operated by a third party upon which Vault12 has an account, including but not limited to: GitHub, Telegram, Twitter, Facebook, LinkedIn, and Instagram.
Special thanks to the following for their work finding bugs:
- Waqar Vicky
- Nitin Goplani
- Swapnil Patil
- Shankar Acharya