Tillitis takes Kerckhoffs’s principle [https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle] to the extreme, where all about the product, its security features and tools to design the product are open. We strongly believe in better security through openness. Thus, we welcome and value technical reports of vulnerabilities that could substantially affect the security or integrity of the TKey.
If you believe that you have discovered such a vulnerability, please report it at email@example.com (PGP key [https://bugbounty.tillitis.se/pubkey.txt] if necessary).
The Tillitis Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.
Tillitis Bug Bounty Program covers our hardware devices Tkey, TKey Unlocked and TKey Programmer as well as all apps [https://tillitis.se/download] that can run on TKey.
Severity of any vulnerabilities found will be evaluated against the threat model [https://tillitis.se/products/threat-model/].
Tillitis’ different web sites are out of scope.
We are mainly interested in vulnerabilities that would eventually allow attackers to steal secrets from the TKey, e.g. private key or UDS (Unique Device Secret).
Examples of vulnerabilities that are in-scope:
We are interested in critical vulnerabilities in apps provided for the TKey. Both client app and device app are in scope.
Examples of vulnerabilities that are in-scope:
At Tillitis, we believe that Coordinated Vulnerability Disclosure is the right approach to better protect users. When submitting a vulnerability report, you enter a form of cooperation in which you allow Tillitis the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties and/or the general public.
In identifying potential vulnerabilities, we ask that all security researchers stick to the following principles:
Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.
Low quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process, which is in nobody’s interest. Please only submit one report per issue.
Do not use personal emails, social media accounts, or other private connections to contact a member of the Tillitis Team regarding vulnerabilities or any issue related to the Bounty program, unless you have been instructed to do so by Tillitis.
The Tillitis Team will be in touch, usually within two working days.
When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Tillitis’ prior written approval.
After triage, we will send a quick acknowledgement and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information or your qualification for a reward.
Bug reporters allow Tillitis the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.
Once the security issue is fixed or mitigated, the Tillitis Team will contact you. Prior to any public announcement of a vulnerability, and to the extent permitted by the law, we will share the draft description of the vulnerability with you. In case of disagreement, we will explore mediation mechanisms.
Tillitis has a 90-day disclosure policy, which means that we do our best to fix issues within 90 days upon receipt of a vulnerability report. If the issue is fixed sooner and if there is mutual agreement between the security researcher and the Tillitis Team, the disclosure might happen before the 90-day deadline.
You may be eligible to receive a reward if:
The decision to grant a reward for the discovery of a valid security issue is at Tillitis’ sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your Submission report, ease of exploit and overall risk for Tillitis’ users and brand.
Bounties will be paid directly to the researcher in Euro, US dollars, or Swedish Krona (whichever the researcher prefers). Bounties range between 100€ and 10.000€.
You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
To be eligible for a reward, you must not:
In mutual consultation, we can, if you desire, display a researcher’s name or their pseudonym as the discoverer of the reported vulnerability on our website’s Hall of Fame [https://bugbounty.tillitis.se/hall-of-fame/].
All updates to this page will be listed below:
2023-11-24, 14.00: Initial release
2023-01-18, 10:25: Editorial changes
This is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.
Parts of the program are inspired by Ledger’s Bug Bounty Program [https://donjon.ledger.com/bounty/].