The Bug Bounty Program is designed to reward security researchers who find vulnerabilities and report them to Vault12.
| Priority | Critical | High | Medium | Low |
| USD | USD | USD | USD | |
| Vault12 iOS App | $10,000 | $2,000 | $500 | $250 |
| Vault12 Android App | $10,000 | $2,000 | $500 | $250 |
| True Entropty iOS App | $2,500 | $1,000 | $500 | $250 |
| Vault12 Website | $2,500 | $1,000 | $500 | $250 |
Rewards are payable in USD, BTC, or ETH.
Vault12 actively works with security researchers to help keep our products secure and our users safe. In the event that you find a security vulnerability, we ask that you promptly report the vulnerability to us via the "Submit Report" button on this page.
Please do not discuss any vulnerabilities (even those that were resolved) outside of this program without the express written consent from Vault12. In the event that Vault12 confirms a security vulnerability that you have reported to us, Vault12 will provide you with the option of being publicly recognized as having identified a security issue in our products in addition to the bounty reward.
Vault12 will not initiate legal action against you for any research conducted consistent with our policies posted on this page, including good faith, accidental violations. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with the policies posted on this page.
Valid reports are any in-scope report that clearly demonstrates a software vulnerability that could be used to compromise the privacy or data of Vault12 or Vault12 users. Vault12 will determine in its sole discretion whether a report meets the criteria of our policies as well as the amount of any reward.
During your research, please adhere to the following guidelines:
Failure to adhere to any of these guidelines will result in your report being ineligible for a reward.
In the event we receive duplicate reports for a given security vulnerability, only the first report shall be eligible for a reward. In addition, if multiple vulnerabilities are caused by a single underlying vulnerability and those vulnerabilities are reported in separate reports then only the first report shall be eligible for a reward.
Vault12 makes every effort to respond quickly to security vulnerability reports and will keep you updated throughout our process. As the severity and complexity of security vulnerabilities can vary, so will our time to resolve the vulnerability. In the event that more than 30 days has passed without Vault12 providing you with an update, please contact us directly by emailing: bug-bounty@vault12.com
Lastly, we reserve the right to modify or cancel our Bug Bounty Program at any time.
Special thanks to the following for their work finding bugs:
