Security
This page details our security practices. Interested in learning more about Passport’s security model? Check out the link below.
Security Audits
We occasionally engage outside contractors in security audits. The results of these audits can be found below.
Q2 2021 – Passport Audit by Keylabs
- Original Audit (PDF)
- Foundation Response to Audit (PDF) – this response has been reviewed by the Keylabs team
Reproducibility
Passport builds are reproducible, and we publish a Build Hash with each release for technical users who wish to build our firmware from source.
Bug Bounty program and responsible disclosure
We want to keep all our products and services safe and secure for everyone. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner. We provide a bug bounty program to better engage with security researchers and hackers.
Please email us at security@foundationdevices.com.
For PGP encrypted emails, please see our PGP keys here.
Bug Bounty Program
Foundation Devices, Inc. (“Foundation”) creates hardware, firmware, software, websites, and web-based services for customers, users, and employees. Foundation expends significant time and effort to ensure that these are all safe and secure. If you believe that you have found an issue or vulnerability, however, the bug bounty program below describes the actions you should take to report the issue, and under what conditions Foundation will pay out bug bounty rewards.
Relevant Domains
For web-based vulnerabilities, only services on the following domains are eligible:
- foundationdevices.com
- *.foundationdevices.com
- *.foundationdevices.dev
Any service hosted at a domain outside of this list will not be considered relevant to this bug bounty program, with the following exception:
- Access to systems hosted by a 3rd party infrastructure provider, which has been deemed relevant to the hosting and securing of services at the domains listed above. The vulnerability must be addressable by our engineers. Foundation reserves the right to make this determination at its sole discretion.
In-Scope Vulnerabilities
We are primarily interested in vulnerabilities related to the following focus areas.
SOFTWARE
- Sensitive Data Exposure (whether data at rest or in transit)
- Customer data, API tokens, passwords, private keys, etc.
- Access Control (e.g., insecure reference or access, privilege escalation)
- Cryptographic vulnerabilities (e.g., bugs in encryption/decryption code or signature generation/verification)
- Signing a transaction without user approval or signing a different transaction than was shown to the user
- Remote Code Execution (RCE)
- Server-side Request Forgery (SSRF)
- Cross-site Request Forgery (CSRF)
- Man-in-the-Middle attacks (MITM)
- SQL Injection
HARDWARE/FIRMWARE
- Circuit board errors resulting in a security issue
- Secure root-of-trust or other bootloader security errors
- Firmware update validation errors or downgrade attacks
Out-of-Scope Vulnerabilities
The following are not considered to be relevant to this bug bounty program, and will not receive payment for reporting. Foundation may choose not to respond to reports of these kinds.
- SSL/TLS version and configuration issues, weak ciphers or expired certificates
- Denial-of-service (DoS) attacks
- Self-XSS without a reasonable attack scenario
- SPF/DKIM/DMARC related issues
- Missing or misconfigured security headers (e.g., HSTS) which do not directly lead to a vulnerability
- Vulnerable software version disclosure without proof of vulnerability
- Reports solely from automated tools
- If automated tooling was used in your vulnerability discovery, that is acceptable, but only if it is accompanied by information demonstrating a real exploit
- Brute-force attacks
- Bugs not related to the issue of security of our systems, or the privacy of our customers and employees
- Hardware vulnerabilities related directly to a component used in a device created by Foundation (e.g., a weak random number generator in the MCU) — reports for these types of vulnerabilities should be made directly to the component manufacturer
Requirements
- All reports must be made in good faith. Withholding information from Foundation for ransom, or actively abusing a discovered vulnerability will disqualify you from receiving any bounty reward, both for the related issue and in the future.
- All efforts must be taken not to leak sensitive information. If you do gain access to sensitive information, you MUST NOT include it in your report, but rather provide a detailed description of how the vulnerability was discovered and used, so we can replicate it. If Foundation requires proof of sensitive information, we will coordinate a secure way for you to send it later.
- Communication with our team must be professional and respectful. We strive to treat all researchers and their reports with the respect they deserve. We may ask for more details in our correspondence with you, in order to determine the legitimacy and scope of the report.
- Reports must be legitimate. They must demonstrate a real vulnerability, not a theoretical one, and must be accompanied by a repeatable procedure to demonstrate effectiveness.
- Payments for valid issues under this bug bounty program will generally be made to the first party reporting the issue. If, however, your report is lacking the detail necessary to fully understand or reproduce the issue, we will attempt to work with you to resolve this. If you become unresponsive or are unable to provide such details, Foundation may, in its sole discretion, elect to work and reward other researchers who have reported the issue, if any.
Responsible Disclosure
To be eligible for payment in this bug bounty program, vulnerabilities discovered must not be reported publicly before Foundation has had ample time to determine the risk level and patch the vulnerability appropriately. We aim to have all critical vulnerabilities patched within 30 days of receiving the report, but we may require more time, and we ask for your cooperation in that effort. Once the vulnerability has been identified, replicated, and patched, researchers may publish their vulnerability report after receiving written confirmation from Foundation via email.
Foundation Devices, Inc. reserves the right to modify the terms of this bug bounty program, at any time, for any reason, and without prior notice. It also reserves the right to refuse payment for any reason, at its sole discretion.
