Bug Bounty Program

The X1 wallet has been audited by Keylabs as of date 14th September 2022. You can find their findings and our relevant response
here.
The X1 card has been audited by SERMA as of date 14th September 2022.
Responsible disclosure policy
At Cypherock (HODL Tech Pte. Ltd.), we believe that Coordinated Vulnerability Disclosure is the right approach to better protect users. When submitting a vulnerability report, you enter a form of cooperation in which you allow Cypherock the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties and/or the general public.
In return, Cypherock commits that security researchers reporting bugs will be protected from legal liability, so long as they follow responsible disclosure guidelines and principles.
In identifying potential vulnerabilities, we ask that all security researchers stick to the following principles:
  • Do not engage in testing that:
  • Degrades Cypherock’s information systems and products.
  • Results in you, or any third party, accessing, storing, sharing or destroying Cypherock or user data.
  • May impact Cypherock users, such as denial of service, social engineering or spam.
  • Do not exploit vulnerabilities on our infrastructure. The Bounty Program is about improving security for Cypherock users, not deliberately trying to put the community at risk.
Submission process
Please email your disclosure at bounty@cypherock.com and no other platform for communication.
Please include:
  • Code which reproduces the issue as a proof of concept.
  • Detailed description and potential impact of your bug.
  • Your name and link for attribution (or a comment if you don't want that)
  • The severity of the bug.
  • The likelihood that the bug will affect users.
  • The role of the researcher — was the researcher the first person to discover the bug, or is the bug based on some public information.
In scope vulnerabilities
  1. Bypass of PIN leading to extraction of wallet secret share from X1 card
  2. Arbitrary code execution on X1 wallet (without hardware access)
  3. Tricking our hardware into signing a transaction the user has not authorized
  4. Bypass bootloader security check (without hardware access)
  5. Arbitrary code execution on X1 cards
  6. Sensitive data leaks leading to funds loss

Note: Any other Vulnerabilities except X1 Wallet and X1 Card (mentioned above) are welcome disclosures, but will not be awarded bounties for this bug bounty program.
Remediation and Disclosure

After triage, we will send a quick acknowledgment and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information, or your qualification for a reward.

When submitting a vulnerability report, you agree that public disclosure should not be made without team Cypherock's approval to ensure that the vulnerability is not exploited by anyone in the community.

Once the security issue is fixed or mitigated, the Cypherock Security Team will contact you. Prior to any public announcement of a vulnerability, and to the extent permitted by the law, we will share the draft description of the vulnerability with you. In case of disagreement, we would explore mediation mechanisms.

Cypherock has a 90-day disclosure policy, which means that we do our best to fix issues within 90 days upon receipt of a vulnerability report. If the issue is fixed sooner and if there is a mutual agreement between the security researcher and the Cypherock Security Team, the disclosure might happen before the 90-day deadline.

Rewards

The decision to grant a reward for the discovery of a valid security issue is at Cypherock’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your Submission report, ease of exploit, and overall risk for Cypherock’s users and brand. Bounties will be paid directly to the researcher.

You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

For eligibility you must not
  • Be a resident of, or make your vulnerability submission from, a country against which Singapore has issued export sanctions or other trade restrictions,
  • Be in violation of any national, state, or local law or regulation,
  • Be employed by Cypherock or its subsidiaries or affiliates,
  • Be an immediate family member of a person employed by Cypherock or its subsidiaries or affiliates,
  • Be less than 18 years of age. If you are under 18 years old, or considered a minor in your place of residence, you must get your parents’ or legal guardian’s permission prior to participating in the program.
Hall of fame

In mutual consultation, we can, if you desire, display a researcher’s name or its pseudonym as the discoverer of the reported vulnerability on our website. Please note that the Hall of Fame is dedicated to the Devices Bug Bounty Program.

Code of conduct
  • Interactions should be at all times respectful and communicated in a professional manner and tone with a view to being beneficial to the report validation process. Creating unnecessary noise, sending rude emails, or spamming for an update are some examples which can be considered unprofessional behavior. These actions decrease triage efficiency and are not beneficial to you as the bug reporter or the program.
  • Hate speech, profanity, or any aggressive threats will not be tolerated in any form.
  • Contacting the security team “out-of-band” (eg. Reddit or Twitter) is a violation of this Code of Conduct.