Security Disclosure Policy

Last updated: January 15, 2024

Security First

The security of our users' private keys and digital assets is our top priority. We encourage responsible disclosure of security vulnerabilities and work closely with the security community.

Responsible Disclosure Process

1. Initial Contact

If you discover a security vulnerability in our hardware, firmware, or software:

  • Email us immediately at security@pendle-eu.com
  • Use our PGP key (provided below) to encrypt sensitive information
  • Include as much detail as possible about the vulnerability
  • Do NOT publicly disclose the vulnerability until we've had time to respond

2. Our Response

We commit to:

  • Acknowledge receipt of your report within 24 hours
  • Provide a detailed response within 72 hours
  • Keep you informed of our progress throughout the process
  • Credit you appropriately if you desire (or keep you anonymous)

3. Investigation & Remediation

Our security team will:

  • Investigate and validate the reported vulnerability
  • Assess the severity and potential impact
  • Develop and test appropriate fixes
  • Prepare firmware/software updates if necessary
  • Coordinate disclosure timeline with you

Scope of Security Research

In Scope

We welcome security research on:

  • Hardware: Side-channel attacks, physical tampering, fault injection
  • Firmware: Code execution vulnerabilities, cryptographic implementation flaws
  • Software: Companion apps, desktop software, web interfaces
  • Communication: USB protocols, wireless communications, data transmission
  • Cryptography: Key generation, storage, and transaction signing processes

Out of Scope

Please do not test:

  • Third-party services or blockchain networks
  • Social engineering attacks against our employees
  • Physical attacks requiring device disassembly (contact us first)
  • Denial of service attacks against our infrastructure
  • Testing that could damage devices or data

Vulnerability Classification

Critical Severity

  • Private key extraction or recovery
  • Bypass of PIN/passphrase protection
  • Unauthorized transaction signing
  • Remote code execution on device

High Severity

  • Seed phrase generation predictability
  • Transaction detail manipulation
  • Firmware/software integrity bypass
  • Authentication mechanism flaws

Medium Severity

  • Information disclosure vulnerabilities
  • Protocol implementation weaknesses
  • Denial of service conditions
  • User interface security issues

Low Severity

  • Minor information leaks
  • Cosmetic or usability issues
  • Non-security related bugs
  • Theoretical vulnerabilities with no practical exploit

Bug Bounty Program

Reward Structure

We offer monetary rewards for qualifying vulnerabilities:

  • Critical: $5,000 - $15,000
  • High: $1,000 - $5,000
  • Medium: $250 - $1,000
  • Low: $50 - $250

Eligibility Requirements

To be eligible for rewards:

  • Follow our responsible disclosure process
  • Provide detailed technical information
  • Allow us reasonable time to fix the issue
  • Avoid publicly disclosing the vulnerability
  • Not violate any laws or regulations

Security Contact Information

Primary Contact

Email: security@pendle-eu.com

Response Time: Within 24 hours

Emergency: +1 (786) 618-2281 (urgent security issues only)

PGP Encryption

For sensitive security reports, please encrypt your message using our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGHxVc0BCADGvX8yO1/Z8/Zq5b6tX3F2Qq8BvD1VcE7p8J9Pqw3X9F7Q2Vc8
... (This would be the actual PGP public key in a real implementation)
8F9E7A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9E0F
-----END PGP PUBLIC KEY BLOCK-----

Key ID: 0x1234567890ABCDEF | Fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678

Disclosure Timeline

Standard Process

  • Day 0: Vulnerability reported
  • Day 1: Acknowledgment sent
  • Day 3: Initial assessment completed
  • Day 30: Fix developed and tested
  • Day 60: Security update released
  • Day 90: Coordinated public disclosure

Expedited Process

For critical vulnerabilities that could immediately compromise user funds:

  • Emergency response team activated within 2 hours
  • Hotfix developed within 72 hours if possible
  • Emergency security advisory issued
  • User notification through all available channels

Hall of Fame

We recognize security researchers who help improve our products:

Recent Contributors

  • • Dr. Security Researcher - Identified timing side-channel in PIN verification (2024)
  • • Anonymous Contributor - Reported firmware validation bypass (2024)
  • • University Research Team - Discovered USB protocol weakness (2023)

Legal Protection

We support legitimate security research and will not pursue legal action against researchers who:

  • Follow our responsible disclosure policy
  • Make good faith efforts to avoid harm to users
  • Respect user privacy and data
  • Do not violate applicable laws
  • Act in the interest of improving security

This policy is designed to be compatible with security research under applicable laws, including the Computer Fraud and Abuse Act (US) and similar legislation worldwide.

Thank You

We deeply appreciate the security community's contributions to making our products safer. Your research helps protect our users' digital assets and strengthens the entire ecosystem.