ELLIPAL Bounty Programme

ELLIPAL Bounty Programme

Get Rewards For Finding ELLIPAL's Vulnerabilities

We are looking for talented security researchers to help ELLIPAL to find vulnerabilities on our cold wallet solution.

Any users or researchers with an ELLIPAL could help us to find what can be improved with the ELLIPAL and let us know. After your data is submitted back to ELLIPAL and if we feel that it is a qualifying vulnerability , we will reward you and implement your advice.

We would like to collaborate smoothly with all users or researchers for improving the security of ELLIPAL hardware wallet. These operation by users or researchers will be welcome:

  • Report found vulnerabilities to ELLIPAL timely. Never exploit them without permission.
  • Workwithin the disclosure guidelines and rules set out by the ELLIPAL Security Team.
  • Make a good faith effort not to access or destroy anyuser’s data.


Disclosure Policy

After submitting a vulnerability report, you enter a process of cooperation in which you allow ELLIPAL to analyze and remedy the vulnerability before disclosing its content to third parties and/or the general public.

ELLIPAL promises that vulnerability reported by users or researchers will be protected from legal liability if they follow the disclosure guidelines and rules set out by the ELLIPAL Security Team.

ELLIPAL ask all users or researchers: not degrades ELLIPAL’s system and products, not attack our infrastructure, and not deliberately trying to put the community at risk. At the same time,  researchers don’t engage in impacting ELLIPAL users, such as denial of service, social engineering or spam.


Submission process

Submission reports should include a detailed description of your research and discovery with clear steps allowing us to reproduce the result. And you could follow the steps below for the submission:


The ELLIPAL Security Team will feedback as soon as possible, usually within 24 hours. All communications between you and ELLIPAL should only by src@ellipal.com. You may not publicly disclose your discovery to any third parties without ELLPAL’s written approval.



After vulnerability is confirmed by ELLIPAL, we will send an expected remediation timeline, requests for additional information and your qualification for a reward to you.

Researchers allow ELLIPAL cooperate with them to diagnose and offer fully tested updates before any party discloses detailed vulnerability or exploit information to the public.



When the security issue is fixed, the ELLIPAL Security Team will contact researchers and send you written consent for later disclosure, including the draft description of the vulnerability.


Wall of Fame

  • Charles GUILLEMET, Chief Security Officer of Ledger