Skip to main content

Responsible Disclosure

Bug Bounty Program & Responsible Disclosure

Foundation Devices, Inc. (“Foundation”) creates hardware, firmware, software, websites, and web-based services for customers, users, and employees. Foundation expends significant time and effort to ensure that these are all safe and secure. If you believe that you have found an issue or vulnerability, however, the bug bounty program below describes the actions you should take to report the issue, and under what conditions Foundation will pay out bug bounty rewards.

 

Relevant Domains

For web-based vulnerabilities, only services on the following domains are eligible:

  • foundation.xyz
  • *.foundation.xyz
  • foundationdevices.com
  • *.foundationdevices.com
  • *.foundationdevices.dev

Any service hosted at a domain outside of this list will not be considered relevant to this bug bounty program, with the following exception:

  • Access to systems hosted by a 3rd party infrastructure provider, which has been deemed relevant to the hosting and securing of services at the domains listed above. The vulnerability must be addressable by our engineers. Foundation reserves the right to make this determination at its sole discretion.

 

In-Scope Vulnerabilities

We are primarily interested in vulnerabilities related to the following focus areas.
SOFTWARE

  • Sensitive Data Exposure (whether data at rest or in transit)
  • Customer data, API tokens, passwords, private keys, etc.
  • Access Control (e.g., insecure reference or access, privilege escalation)
  • Cryptographic vulnerabilities (e.g., bugs in encryption/decryption code or signature generation/verification)
  • Signing a transaction without user approval or signing a different transaction than was shown to the user
  • Remote Code Execution (RCE)
  • Server-side Request Forgery (SSRF)
  • Cross-site Request Forgery (CSRF)
  • Man-in-the-Middle attacks (MITM)
  • SQL Injection

HARDWARE/FIRMWARE

  • Circuit board errors resulting in a security issue
  • Secure root-of-trust or other bootloader security errors
  • Firmware update validation errors or downgrade attacks

 

Out-Of-Scope Vulnerabilities

The following are not considered to be relevant to this bug bounty program, and will not receive payment for reporting. Foundation may choose not to respond to reports of these kinds.

  • SSL/TLS version and configuration issues, weak ciphers or expired certificates
  • Denial-of-service (DoS) attacks
  • Self-XSS without a reasonable attack scenario
  • SPF/DKIM/DMARC related issues
  • Missing or misconfigured security headers (e.g., HSTS) which do not directly lead to a vulnerability
  • Vulnerable software version disclosure without proof of vulnerability
  • Reports solely from automated tools
    • If automated tooling was used in your vulnerability discovery, that is acceptable, but only if it is accompanied by information demonstrating a real exploit
  • Brute-force attacks
  • Bugs not related to the issue of security of our systems, or the privacy of our customers and employees
  • Hardware vulnerabilities related directly to a component used in a device created by Foundation (e.g., a weak random number generator in the MCU) — reports for these types of vulnerabilities should be made directly to the component manufacturer

 

Requirements

  • All reports must be made in good faith. Withholding information from Foundation for ransom, or actively abusing a discovered vulnerability will disqualify you from receiving any bounty reward, both for the related issue and in the future.
  • All efforts must be taken not to leak sensitive information. If you do gain access to sensitive information, you MUST NOT include it in your report, but rather provide a detailed description of how the vulnerability was discovered and used, so we can replicate it. If Foundation requires proof of sensitive information, we will coordinate a secure way for you to send it later.
  • Communication with our team must be professional and respectful. We strive to treat all researchers and their reports with the respect they deserve. We may ask for more details in our correspondence with you, in order to determine the legitimacy and scope of the report.
  • Reports must be legitimate. They must demonstrate a real vulnerability, not a theoretical one, and must be accompanied by a repeatable procedure to demonstrate effectiveness.
  • Payments for valid issues under this bug bounty program will generally be made to the first party reporting the issue. If, however, your report is lacking the detail necessary to fully understand or reproduce the issue, we will attempt to work with you to resolve this. If you become unresponsive or are unable to provide such details, Foundation may, in its sole discretion, elect to work and reward other researchers who have reported the issue, if any.

 

Responsible Disclosure

To be eligible for payment in this bug bounty program, vulnerabilities discovered must not be reported publicly before Foundation has had ample time to determine the risk level and patch the vulnerability appropriately. We aim to have all critical vulnerabilities patched within 30 days of receiving the report, but we may require more time, and we ask for your cooperation in that effort. Once the vulnerability has been identified, replicated, and patched, researchers may publish their vulnerability report after receiving written confirmation from Foundation via email.

Foundation Devices, Inc. reserves the right to modify the terms of this bug bounty program, at any time, for any reason, and without prior notice. It also reserves the right to refuse payment for any reason, at its sole discretion.

 

Have a security issue or bug to report?

Send us an email