Security

Our source code is publicly available and we actively collaborate with the security research community. If you believe you've discovered a vulnerability that could affect Frostsnap devices, software, or infrastructure, please report it to security@frostsnap.com.

Our team will verify the issue, work with you on remediation, and reward valid submissions.

Scope

We are particularly interested in vulnerabilities that could allow attackers to compromise the security of bitcoin managed by Frostsnap devices.

Devices & Firmware

This category is by far the most important to us, as the devices are the ultimate point of security in our threat model.

  • Key share extraction or injection
  • Bypassing user transaction confirmation
  • Arbitrary code execution without firmware warning
  • Defeating device encryption
  • Physical and supply chain attacks

Coordinator App

Our threat model assumes the host can be malicious—transactions must be confirmed on device displays. We still take these issues seriously.

  • Modification of data sent to or received from devices
  • Third-party library and supply chain vulnerabilities
  • Cross-site scripting with clear security impact

Web Infrastructure

  • Sensitive data exposure
  • Payment and order tampering
  • Server misconfigurations allowing unauthorized access

Out of Scope

  • Phishing or social engineering attacks
  • Missing security headers without proof of concept
  • Reports from automated scanners without demonstrated exploitability
  • Outdated libraries without significant, exploitable vulnerabilities

Responsible Disclosure

By submitting a vulnerability, you agree to provide us time to diagnose and resolve the issue before sharing details publicly. We will coordinate disclosure together.

  • Use exploits solely to verify the existence of vulnerabilities
  • Do not engage in testing that degrades our systems or impacts users
  • Do not exploit vulnerabilities beyond what is necessary to confirm them
  • Avoid unauthorized access, storage, or destruction of data

Submitting a Report

Email security@frostsnap.com. For sensitive matters, we can provide instructions for setting up a Signal encrypted channel.

Include:

  • Detailed description of the vulnerability and its potential impact
  • Clear steps to reproduce (proof-of-concept scripts or screenshots recommended)
  • Explanation of how it affects bitcoin managed by Frostsnap
  • How you'd like to be credited (if at all)

We will verify and prioritize your report, then work to remediate promptly. We'll keep you informed of progress.

Rewards

You may be eligible for a Bitcoin bounty if:

  • You are the first person to report the vulnerability
  • The vulnerability is confirmed by our security team
  • You have complied with the responsible disclosure guidelines

Reward amounts are determined by severity and impact on bitcoin managed by Frostsnap. Hardware and firmware vulnerabilities are weighted most heavily.

Open Source

Frostsnap is fully open source. You can review our code, submit improvements, or report issues on GitHub. For security-sensitive issues, please use email rather than public GitHub issues.

GPG Key

For encrypted communications: 


[GPG KEY PLACEHOLDER]

Fingerprint: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX

Download: pgp.txt

Contact

security - at - frostsnap.com

Thanks for helping keep Bitcoin users safe.