Responsible Disclosure
At Trezor, security is our core mission. We believe in the power of the security community and welcome responsible disclosure of vulnerabilities in our hardware, firmware, and software products.
Report a vulnerability:
security@trezor.io · PGP key available at trezor.io/security
We aim to respond to all reports within 48 hours.
Scope
We accept reports for vulnerabilities in:
- Trezor hardware devices (Safe 3, Safe 5, Safe 7)
- Trezor firmware (open-source on GitHub)
- Trezor Suite desktop and web application
- trezor.io website and API endpoints
- Trezor Connect and integration libraries
Out of Scope
- Social engineering attacks
- Physical attacks requiring extended unsupervised access to the device
- Denial-of-service attacks on our infrastructure
- Third-party services and applications
What We Ask
- Give us reasonable time to investigate and patch before public disclosure
- Do not access or modify other users' data
- Do not perform attacks on live production systems
- Provide a clear, reproducible proof of concept
Our Commitments
We will acknowledge your report promptly, work with you to understand and resolve the issue, and publicly credit you (with your permission) in our security advisories. For critical findings, we offer a bug bounty reward — contact us for details.
PGP Encryption
For sensitive reports, please encrypt your email using our PGP public key. Our key fingerprint and full public key are available at trezor.io/security.