Bug Bounty Program

Tillitis takes Kerckhoffs’s principle [https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle] to the extreme, where all about the product, its security features and tools to design the product are open. We strongly believe in better security through openness. Thus, we welcome and value technical reports of vulnerabilities that could substantially affect the security or integrity of the TKey.

If you believe that you have discovered such a vulnerability, please report it at security@tillitis.se (PGP key [https://bugbounty.tillitis.se/pubkey.txt] if necessary).
The Tillitis Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.

Eligibility

Tillitis Bug Bounty Program covers our hardware devices Tkey, TKey Unlocked and TKey Programmer as well as all apps [https://tillitis.se/download] that can run on TKey.
Severity of any vulnerabilities found will be evaluated against the threat model [https://tillitis.se/products/threat-model/].

Tillitis’ different web sites are out of scope.

Devices Bug Bounty Program

We are mainly interested in vulnerabilities that would eventually allow attackers to steal secrets from the TKey, e.g. private key or UDS (Unique Device Secret).

Scope

• Hardware attacks on the TKey, TKey Unlocked, TKey Programmer
• Software attacks on the firmware of the TKey, TKey Unlocked, TKey Programmer

In-Scope Vulnerabilities

Examples of vulnerabilities that are in-scope:

• Warm boot attack – extracting any secret information from the TKey hardware
• Bypass of the USS
• Arbitrary code execution in firmware mode (with or without physical access to the TKey)
• Memory/Information leakage

App Bug Bounty Program

We are interested in critical vulnerabilities in apps provided for the TKey. Both client app and device app are in scope.

Scope

• Software attacks on apps listed at https://tillitis.se/download

In-Scope Vulnerabilities

Examples of vulnerabilities that are in-scope:

• Information leakage, especially of any secret (UDS, Private key)
• Arbitrary code execution on the TKey in app mode (with or without physical access to the TKey)

Out-of-Scope

• Vulnerabilities in device apps developed by 3rd parties are out of scope, but we would, however, like to know of any vulnerability found. Please report it at security@tillitis.se (GPG key [https://bugbounty.tillitis.se/pubkey.txt] if necessary).

Responsible Disclosure Policy

At Tillitis, we believe that Coordinated Vulnerability Disclosure is the right approach to better protect users. When submitting a vulnerability report, you enter a form of cooperation in which you allow Tillitis the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties and/or the general public.

In identifying potential vulnerabilities, we ask that all security researchers stick to the following principles:

• Do not engage in testing that:
  • Results in you, or any third party, accessing, storing, sharing or destroying data belonging to Tillitis or its users.
  • May impact Tillitis employees or users, such as social engineering or spam.
• Do not exploit vulnerabilities. The Bounty Program is about improving security for Tillitis users, not deliberately trying to put the community at risk.

Submission Process

Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.

Low quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process, which is in nobody’s interest. Please only submit one report per issue.

All communications between you and Tillitis should go through security@tillitis.se. Please use our PGP key [https://bugbounty.tillitis.se/pubkey.txt] as necessary.

Do not use personal emails, social media accounts, or other private connections to contact a member of the Tillitis Team regarding vulnerabilities or any issue related to the Bounty program, unless you have been instructed to do so by Tillitis.

The Tillitis Team will be in touch, usually within two working days.

When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Tillitis’ prior written approval.

Remediation & Disclosure

After triage, we will send a quick acknowledgement and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information or your qualification for a reward.

Bug reporters allow Tillitis the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.

Once the security issue is fixed or mitigated, the Tillitis Team will contact you. Prior to any public announcement of a vulnerability, and to the extent permitted by the law, we will share the draft description of the vulnerability with you. In case of disagreement, we will explore mediation mechanisms.

Tillitis has a 90-day disclosure policy, which means that we do our best to fix issues within 90 days upon receipt of a vulnerability report. If the issue is fixed sooner and if there is mutual agreement between the security researcher and the Tillitis Team, the disclosure might happen before the 90-day deadline.

Reward

You may be eligible to receive a reward if:

• (i) you are the first person to submit a given vulnerability;
• (ii) that vulnerability is determined to be a valid security issue by the Tillitis Team;
• (iii) you have complied with the Tillitis Bug Bounty program policy and guidelines.

The decision to grant a reward for the discovery of a valid security issue is at Tillitis’ sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your Submission report, ease of exploit and overall risk for Tillitis’ users and brand.

Bounties will be paid directly to the researcher in Euro, US dollars, or Swedish Krona (whichever the researcher prefers). Bounties range between 100€ and 10.000€.

You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

To be eligible for a reward, you must not:

• Be a resident of, or make your vulnerability submission from, a country against which Sweden has issued export sanctions or other trade restrictions,
• Be in violation of any national, state, or local law or regulation.

Hall of Fame

In mutual consultation, we can, if you desire, display a researcher’s name or their pseudonym as the discoverer of the reported vulnerability on our website’s Hall of Fame [https://bugbounty.tillitis.se/hall-of-fame/].

Updates of thees terms

All updates to this page will be listed below:
2023-11-24, 14.00: Initial release
2023-01-18, 10:25: Editorial changes

This is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.

Parts of the program are inspired by Ledger’s Bug Bounty Program [https://donjon.ledger.com/bounty/].