Feb 28

Keeping Our Edge: the Bounty Program

Bounty Program

We have previously taken a closer look into our security technology, including a look at Secure Elements, our custom Operating System, BOLOS and the usage of a Root of Trust.

The next three articles will take a look into how we keep our edge when it comes down to security. For this, we will be interviewing our Chief Security Officer, Charles Guillemet, for insights into our consistent work on maintaining the high level of security.

Today, we will discuss Ledger’s bounty program with him.

Could you tell us a little bit more about bounty programs?

Bounty programs are deals where security researchers, sometimes known as hackers, try to find security weaknesses in software and hardware solutions. Awards are offered to those who responsibly report security issues that meet the bounty’s conditions.

In the security ecosystem, most researchers act ethically and participate in bounty programs. In this case, they follow responsible disclosure. This means that when they find a vulnerability (bug which could have security impacts), they disclose it to the manufacturer/software developer and give them sufficient time to keep their users safe and fix the problem when possible.

Bounty programs encourage this behavior by rewarding it.

When did bounty programs start being implemented?

The first known bug bounty program was in 1983 and was organized by Hunter & Ready. It became very popular quite lately, since last decade, more and more technology giants (Microsoft, Google, Mozilla, etc.) have opened bug bounty programs for their products. The total bounty rewards given by companies keeps increasing.

Bounty programs became popular in the software industry, but remains rare when it comes down to hardware. This is starting to change and at Ledger we are part of this movement – we believe this is how security should be treated in the 21st century.

What does Ledger’s bounty program look like?

Ledger awards prizes for security related bugs found in our products that are reported responsibly (details are on our bounty program page). There are specific kinds of vulnerabilities which are eligible.

Most notably, we focus our bounty program on anyone who can break Ledger devices’ (Blue, Nano S, Nano X) threat model. This includes managing to counterfeiting a legitimate device (break genuineness), extracting the 24-word recovery phrase (seed), bypassing the PIN, running a non-ledger app preventing the warning message (on the device) or being able to break isolation between apps.

There are other, somewhat less critical vulnerabilities that could be interesting to us and will be rewarded. One can think of vulnerabilities within Ledger Live. Even harmless bugs can be interesting for us and are equally rewarded. The amount of the reward depends on several factors:

  • Criticality
  • Difficulty of the attack
  • The help provided by the security researcher

For more information, I’d like to recommend our readers to take a closer look at our bounty program page.

When and why did we start Ledger’s bounty program?

We have used our bounty program since the beginning of Ledger in 2014. We publicly announced it at the beginning of 2018, however. Even though our security team is striving to develop the most secure hardware wallet in the market, there’s always a chance that we may have missed something.

Our bounty program aims to having precious, valuable help from security researchers, to keep increasing the high standard we have set for ourselves and to reward those who have been able to help us in this.

What has the result been so far?

The bounty program has helped to improve our security. The most notable results have led to upgrading the Ledger Nano S firmware (1.4 and 1.5), which provided patches to security issues. The security researchers had followed the responsible disclosure agreement process and were thus awarded with a bounty. The prizes range from 50$ worth Bitcoin for minor vulnerabilities to several Bitcoins for more critical ones.

We currently receive several submissions per week for our bounty program.

While we don’t reward low quality reports, especially the ones generated by an automated web scanner, we deeply appreciate receiving unexpected and high quality reports which helps us to create the best product we can provide.

What are the next steps for the bounty program?

We’d like to continue and engage with the incredible security research community that has already proven how important they are to us. We will always move forward with the thought that there is always a chance that we have missed something and that we will continuously work on improving our products’ security.

We are also taking part to Capture The Flag (CTF) challenges among other activities. This is done by our internal security lab, the Ledger Donjon, which we’ll discuss in more detail in our next interview.

About Charles Guillemet:

Charles joined Ledger in 2017 as Chief Security Officer after working for 10 years of in the Cryptography & Hardware Security sector. Charles holds a Master of Science in Cryptography & Security at the Engineering School ENSIMAG, with a Major in Cryptography and Security, where he is now a Lecturer.

Pre-order Ledger Nano X