Vault12 Bug Bounty Program

The Bug Bounty Program is designed to reward security researchers who find vulnerabilities and report them to Vault12.

Priority Critical High Medium Low
Vault12 iOS App $10,000 $2,000 $500 $250
Vault12 Android App $10,000 $2,000 $500 $250
True Entropty iOS App $2,500 $1,000 $500 $250
Vault12 Website $2,500 $1,000 $500 $250

Rewards are payable in USD, BTC, or ETH.


What is the Vault12 Bug Bounty Program?

Vault12 actively works with security researchers to help keep our products secure and our users safe. In the event that you find a security vulnerability, we ask that you promptly report the vulnerability to us via the "Submit Report" button on this page.


Please do not discuss any vulnerabilities (even those that were resolved) outside of this program without the express written consent from Vault12. In the event that Vault12 confirms a security vulnerability that you have reported to us, Vault12 will provide you with the option of being publicly recognized as having identified a security issue in our products in addition to the bounty reward.

Whitehat Safe Harbor

Vault12 will not initiate legal action against you for any research conducted consistent with our policies posted on this page, including good faith, accidental violations. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with the policies posted on this page.

What are the Program Rules?

Valid reports are any in-scope report that clearly demonstrates a software vulnerability that could be used to compromise the privacy or data of Vault12 or Vault12 users. Vault12 will determine in its sole discretion whether a report meets the criteria of our policies as well as the amount of any reward.

During your research, please adhere to the following guidelines:

  • Do not access or destroy another user's data, including any of Vault12's data.
  • Please provide detailed steps to reproduce the vulnerability, including any tools required.
  • Social engineering (e.g. phishing) is strictly prohibited.
  • Only interact with accounts and devices that you own or with which you have secured the explicit permission of the owner.
  • Do not disclose any security vulnerabilities to any other party without the express written permission of Vault12.

Failure to adhere to any of these guidelines will result in your report being ineligible for a reward.

In the event we receive duplicate reports for a given security vulnerability, only the first report shall be eligible for a reward. In addition, if multiple vulnerabilities are caused by a single underlying vulnerability and those vulnerabilities are reported in separate reports then only the first report shall be eligible for a reward.

Vault12 makes every effort to respond quickly to security vulnerability reports and will keep you updated throughout our process. As the severity and complexity of security vulnerabilities can vary, so will our time to resolve the vulnerability. In the event that more than 30 days has passed without Vault12 providing you with an update, please contact us directly by emailing:

Lastly, we reserve the right to modify or cancel our Bug Bounty Program at any time.


In Scope

Out of Scope

  • Domain: (report security issues here)
  • Domain:
  • Domain:
  • Domain:
  • Domain:
  • Domain:
  • Any other service owned/operated by a third party upon which Vault12 has an account, including but not limited to: GitHub, Telegram, Twitter, Facebook, LinkedIn, and Instagram.

Thank You

Special thanks to the following for their work finding bugs:

  • Sachin Kalkumbe
  • Waqar Vicky
  • Nitin Goplani
  • Swapnil Patil
  • Shankar Acharya
  • Himanshu
  • Mohammed Israil (@mdisrail2468)
  • Yeshwanth
  • Ramit Gangwar
  • Rutvik Kalkumbe
  • Akash M (@0xbool / @booleanaire)
  • Mridul Rastogi

Get started now.

The Vault12 Guard app is now available from iOS and Android app stores.