Bug Bounty Program

Help us secure the future of digital assets. Report vulnerabilities and earn rewards.

Ledger believes in better security through openness. We welcome and value technical reports of vulnerabilities that could substantially affect the confidentiality or integrity of user data on Ledger devices or the security of our infrastructure.

If you believe that you have discovered such a vulnerability, please report it at bounty -at- ledger.fr (GPG key if necessary).

The Ledger Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.

Eligibility #

Ledger Bug Bounty Program covers our hardware devices, Ledger Wallet applications, as well as our web services.

📟

Devices Bug Bounty

We are mainly interested in vulnerabilities that would eventually allow attackers to steal crypto assets from Ledger devices.

Scopes

  • Hardware attacks on the Ledger devices (i.e. hardware products)
  • Software attacks on the firmware running on the devices
  • Vulnerabilities in the in-scope apps listed below (versions distributed through Ledger Wallet)

In-Scope Vulnerabilities

  • Bypass of the PIN
  • Arbitrary code execution on the SE
  • Arbitrary code execution on the MCU (without physical access)
  • Privilege escalation from an app
  • Bypass of user confirmation to issue a transaction
  • Sensitive memory leak

In-Scope Apps

  • app-bitcoin
  • app-bitcoin-new
  • app-cardano
  • app-stellar
  • app-sui
  • app-ethereum
  • app-exchange
  • app-monero
  • app-openpgp
  • app-recovery-check
  • app-security-key
  • app-solana
  • app-tron
  • app-xrp
  • app-hyperliquid (coming soon)
🌐

Web Bug Bounty

We are interested in critical vulnerabilities in our infrastructure. In a nutshell, we are interested in real vulnerabilities, not in output of automated scanners.

Out-of-scope Vulnerabilities

  • Presence/absence of SPF/DMARC records
  • Lack of CSRF tokens
  • Clickjacking and tabnagging issues
  • Missing security headers which do not lead directly to a vulnerability
  • Missing best practices (we require evidence of a security vulnerability)
  • Reports from automated tools or scans
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Absence of rate limiting
  • Editable Github wikis
  • Outdated software without any noteworthy vulnerability
  • Broken links
📱

Ledger Wallet Bug Bounty

We are interested in vulnerabilities in Ledger Wallet (Desktop and Mobile) that could lead to loss of user funds, compromise of sensitive data, or bypass of security controls. We are looking for real security impact, not cosmetic or theoretical issues.

In-Scope Vulnerabilities

  • Unauthorized transaction crafting or signing bypass via Ledger Wallet
  • Compromise of the communication channel between Ledger Wallet and the device (USB/BLE)
  • Private data leakage (accounts, balances, xpubs) to unauthorized parties
  • Remote code execution in Ledger Wallet (Desktop or Mobile)
  • Supply-chain attacks on the Ledger Wallet update mechanism
  • Bypass of the genuine device check performed by Ledger Wallet
  • Man-in-the-middle attacks on Ledger Wallet backend communications
  • dApp privilege escalation: a compromised or malicious dApp accessing resources or permissions beyond what Ledger Wallet explicitly exposes to it (dApp sandbox escape)

Out-of-scope Vulnerabilities

  • Attacks requiring prior local access to the computer or mobile device (e.g. malware already installed, physical access to an unlocked machine)
  • Vulnerabilities requiring physical access to an already-unlocked Ledger device
  • UI/UX bugs with no security impact (cosmetic glitches, typos, layout issues)
  • Outdated dependencies without a demonstrated exploitable vulnerability
  • Denial of service against Ledger Wallet (app crashes without security impact)
  • Issues already covered by the Devices or Web Bug Bounty scopes
  • Self-XSS or issues requiring unlikely user interaction chains
  • Vulnerabilities in third-party dApps themselves that do not impact Ledger Wallet or its users beyond the dApp's own scope
  • Reports from automated scanners without manual verification (see AI-generated reports policy)
🕵

Phishing Attempt Bounty

We are also interested in any information allowing us to protect our users from attacks (Phishing, Smishing, Vishing, etc).

We have created a 10 BTC fund for any information leading to successful arrest and prosecution.

To submit your bounty information, please use bounty-phishing - at - ledger.com.

Payment will require meeting KYC requirements.

Responsible Disclosure Policy #

At Ledger, we believe that Coordinated Vulnerability Disclosure is the right approach to better protect users. When submitting a vulnerability report, you enter a form of cooperation in which you allow Ledger the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties and/or the general public.

In return, Ledger commits that security researchers reporting bugs will be protected from legal liability, so long as they follow responsible disclosure guidelines and principles.

Guidelines #

  • Do not engage in testing that degrades Ledger's information systems and products
  • Do not access, store, share or destroy Ledger or user data
  • Do not impact Ledger users, such as denial of service, social engineering or spam
  • Do not exploit vulnerabilities on our infrastructure — the Bounty Program is about improving security, not deliberately putting the community at risk

Submission Process #

Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.

Low quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process. Please only submit one report per issue.

Regarding AI-Generated and Automated Reports

We do not accept vulnerability reports that are generated entirely or primarily by automated tools or AI systems without meaningful human analysis. Reports must demonstrate a genuine understanding of the vulnerability, including its root cause, impact, and a valid proof-of-concept or clear reproduction steps written by the reporter.

Submitting bulk, low-effort, or AI-generated reports without proper verification constitutes abuse of this program. Ledger reserves the right to discard such reports without response and to permanently ban any individual or entity that repeatedly submits unsolicited, low-quality, or spammy reports.

All communications between you and Ledger should go through bounty -at- ledger.fr. Please use our GPG key as necessary.

The Ledger Security Team will be in touch, usually within 24 hours.

Remediation & Disclosure #

After triage, we will send a quick acknowledgement and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.

Ledger has a 90-day disclosure policy, which means that we do our best to fix issues within 90 days upon receipt of a vulnerability report.

Reward #

You may be eligible to receive a reward if:

  • You are the first person to submit a given vulnerability
  • That vulnerability is determined to be a valid security issue by the Ledger Security Team
  • You have complied with the Ledger Bug Bounty program policy and guidelines

The decision to grant a reward for the discovery of a valid security issue is at Ledger's sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your Submission report, ease of exploit and overall risk for Ledger's users and brand.

Bounties will be paid directly to the researcher using Bitcoin.

Eligibility Requirements #

To be eligible for a reward, you must not:

  • Be a resident of, or make your vulnerability submission from, a country against which France has issued export sanctions or other trade restrictions
  • Be in violation of any national, state, or local law or regulation
  • Be employed by Ledger or its subsidiaries or affiliates
  • Be an immediate family member of a person employed by Ledger or its subsidiaries or affiliates
  • Be less than 18 years of age (if under 18, you must get your parents' or legal guardian's permission)

Hall of Fame #

In mutual consultation, we can, if you desire, display a researcher's name or its pseudonym as the discoverer of the reported vulnerability on our website's Hall of Fame. Please note that the Hall of Fame is dedicated to the Devices Bug Bounty Program.

Code of Conduct #

  • Be kind
  • Be respectful and professional in your communications and behavior
  • Hate speech, profanity, or any aggressive threats will not be tolerated
  • Only contact the Ledger Security Team through the email address mentioned above
  • Do not send repeated, unsolicited, or follow-up messages pressuring for a response or reward
  • Do not submit multiple reports for the same issue or flood our inbox with bulk submissions

Violations of this Code of Conduct can result in a warning, the permanent ban of the reporter from this Bug Bounty Program, and the unconditional rejection of all pending and future submissions from that reporter.

This is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.

Parts of the program are inspired by Dropbox Bug Bounty Program and HackerOne Code of Conduct.