We highly value the security research community’s participation in our bug bounty program, as it plays a vital role in strengthening our security measures. Your dedication to identifying and reporting potential vulnerabilities in our mobile applications and backend infrastructure is greatly appreciated. Outlined below are the scope and guidelines for our bug bounty program.
In Scope
- Private key extraction or exposure
- Key generation weaknesses (RNG, WalletCore, keystore)
- Seed import/export vulnerabilities (clipboard, encryption)
- Derivation path manipulation (BIP32/44/49/84)
- Transaction signing flaws (domain separation, deterministic signing)
- Authentication bypasses (biometric, PIN)
- Storage encryption weaknesses
- Memory leaks exposing sensitive data
- Any vulnerability leading to loss of funds, secret phrase exposure, or privacy breaches
Out of Scope
The following are not eligible for rewards:
- Social engineering, phishing, physical attacks, or Denial of Service (DoS/DDoS)
- Vulnerabilities requiring rooted/jailbroken devices or outdated app versions
- Network-level attacks (Man-in-the-Middle, DNS spoofing, WiFi attacks)
- Third-party services, APIs, blockchain protocols, smart contracts, or dependencies without direct Gem Wallet impact
- Known/duplicate issues, automated scanner output, or theoretical vulnerabilities without proof of concept
- Low-impact issues (self-XSS, unlikely user interaction, information disclosure without security impact, rate limiting)
- Public disclosure before coordinated fix, or unauthorized production testing
Out of Scope Domains
- support.gemwallet.com
- status.gemwallet.com
Scope
Apps
Repositories
Domains
- gemwallet.com
- api.gemwallet.com
- gemnodes.com
Rewards
Critical ($5,000–$8,000)
- Remote private key extraction without user interaction
- Unauthorized transaction signing leading to fund theft
- Secret phrase exposure through application vulnerabilities
High ($2,000–$5,000)
- Key generation or derivation path vulnerabilities
- Storage encryption weaknesses exposing sensitive data
Medium ($600–$2,000)
- Authentication bypasses (biometric, PIN, passphrase)
- Transaction signing flaws with user interaction
- Memory leaks exposing private keys or seed phrases
- Seed import/export vulnerabilities
Low ($100–$600)
- Security-impacting UI issues that could lead to user confusion
- Minor information disclosure without direct fund loss
Eligibility
- Gem Wallet determines validity, severity, and reward amounts at its sole discretion - only the first reporter is eligible
- Employees, contractors, and their family members are ineligible
- Testing must be conducted in good faith and comply with all applicable laws
Responsible Disclosure
We follow a coordinated disclosure process to protect our users:
- Do not publicly disclose vulnerabilities before they are fixed - allow us reasonable time to address the issue
- We’ll keep you updated on the progress and credit you for the discovery (unless you prefer to remain anonymous)
- We may publish security advisories for critical issues after they’re resolved
By participating in good faith security research, you help us protect millions of crypto users worldwide.
Submission
If you believe you’ve found a valid security vulnerability, please report it to [email protected] with detailed steps to reproduce the issue. We respond to security reports within 24-48 hours.
For general questions or non-security issues, visit docs.gemwallet.com or contact [email protected].