Security is Our Priority
We value the security research community and welcome responsible disclosure of security vulnerabilities.
Critical
$10,000+
Remote code execution, private key extraction, critical firmware vulnerabilities
High
$5,000
Authentication bypass, privilege escalation, significant data exposure
Medium
$2,500
XSS attacks, CSRF vulnerabilities, less critical security issues
Low
$500
Minor security concerns, information disclosure, low-impact issues
Program Scope
In Scope
The following areas are included in our bug bounty program:
| Asset |
Status |
| Holdexer Hardware Device Firmware |
✓ In Scope |
| Device Secure Element Implementation |
✓ In Scope |
| Holdexer Website (holdexer.us.com) |
✓ In Scope |
| Desktop and Mobile Applications |
✓ In Scope |
| API Endpoints |
✓ In Scope |
| Cryptographic Implementations |
✓ In Scope |
Out of Scope
The following are NOT eligible for rewards:
- Social engineering attacks
- Physical attacks requiring device possession
- DDoS attacks
- Spam or phishing attacks
- Issues in third-party services or libraries
- Previously reported or known issues
- Theoretical vulnerabilities without proof of concept
- Issues that require compromised recovery seed
High Priority Vulnerabilities
We are especially interested in reports concerning:
- Private Key Security: Any vulnerability that could lead to private key extraction or exposure
- Firmware Integrity: Ability to install malicious or unauthorized firmware
- Transaction Tampering: Manipulation of transaction data without user knowledge
- Secure Element Bypass: Circumventing secure element protections
- Cryptographic Weaknesses: Flaws in our cryptographic implementations
- Authentication Bypass: Unauthorized access to device or accounts
- Data Leakage: Exposure of sensitive user or device information
How to Submit a Report
1
Discover
Identify a potential security vulnerability in our in-scope assets
2
Document
Prepare a detailed report with steps to reproduce the issue
3
Submit
Email your report to contact@holdexer.us.com with subject "Bug Bounty"
4
Response
We'll acknowledge your report within 48 hours and begin investigation
Report Requirements
Your submission should include:
- Clear description of the vulnerability
- Step-by-step reproduction instructions
- Proof of concept (code, screenshots, or video)
- Potential impact assessment
- Your recommended remediation (optional)
- Contact information for follow-up
Program Rules & Guidelines
Responsible Disclosure Policy
To participate in our bug bounty program, you must:
- Not publicly disclose the vulnerability before we've addressed it
- Provide us reasonable time to fix the issue (typically 90 days)
- Not exploit the vulnerability beyond what's necessary to demonstrate it
- Not access, modify, or delete user data
- Not perform actions that could harm Holdexer or our users
- Make a good faith effort to avoid privacy violations and service disruption
Eligibility
To receive a reward, you must:
- Be the first to report the vulnerability
- Report a vulnerability that's in scope
- Provide sufficient detail to reproduce the issue
- Not be a current or former Holdexer employee or contractor
- Comply with all program rules
- Not be located in a country under US sanctions
Safe Harbor
Holdexer commits to not pursue legal action against security researchers who:
- Make a good faith effort to comply with this policy
- Report vulnerabilities promptly and responsibly
- Do not exploit vulnerabilities beyond necessary demonstration
Reward Determination
Reward amounts are determined based on several factors:
- Severity: Impact and exploitability of the vulnerability
- Quality: Clarity and completeness of the report
- Scope: Whether the vulnerability affects critical systems
- Proof of Concept: Quality of demonstration
Payment Process
Once a vulnerability is verified and fixed:
- We'll determine the appropriate reward amount
- Notify you of the reward decision
- Process payment via your preferred method (bank transfer, cryptocurrency, or PayPal)
- Publicly acknowledge you in our Hall of Fame (if you consent)
Timeline:
We aim to acknowledge reports within 48 hours, provide initial assessment within 5 business days, and issue rewards within 30 days of vulnerability confirmation and fix deployment.
🏆 Security Researcher Hall of Fame
We recognize and thank the following security researchers who have helped make Holdexer more secure:
Be the first to contribute to Holdexer's security and earn your place in our Hall of Fame!