Critical
$10,000+
Remote code execution, private key extraction
High
$5,000
Authentication bypass, firmware vulnerabilities
Medium
$1,000
Information disclosure, logic flaws
Low
$100
Minor bugs, UI issues
Program Overview
The Mikasiwallet Bug Bounty Program is designed to encourage security researchers to help us identify vulnerabilities in our hardware devices and associated software. We value the security community's efforts in making our products more secure for all users.
24h
Average Response Time
Scope
| Target |
Type |
Status |
| Mikasiwallet Hardware Device |
Hardware/Firmware |
✓ In Scope |
| Device Firmware |
Embedded Software |
✓ In Scope |
| *.mikasiwallet.co.com |
Web Application |
✓ In Scope |
| Companion Software |
Desktop Application |
✓ In Scope |
| Third-party Services |
External |
✗ Out of Scope |
| Social Engineering |
Physical/Social |
✗ Out of Scope |
Qualifying Vulnerabilities
Critical Severity
- Private key extraction from the hardware device
- Remote code execution on the device
- Cryptographic implementation flaws
- Seed phrase recovery without physical access
High Severity
- Authentication bypass mechanisms
- Firmware signature verification bypass
- Side-channel attacks on the device
- Memory corruption vulnerabilities
Medium Severity
- Information disclosure vulnerabilities
- Logic flaws in transaction signing
- Cross-site scripting (XSS) on our website
- SQL injection vulnerabilities
Low Severity
- UI/UX security improvements
- Missing security headers
- Information leakage in error messages
- Minor configuration issues
Program Rules
Responsible Disclosure
- Report vulnerabilities directly to our security team
- Do not publicly disclose the vulnerability before we've fixed it
- Allow us reasonable time to address the issue (typically 90 days)
- Do not exploit the vulnerability beyond proof of concept
Testing Guidelines
- Only test against your own accounts and devices
- Do not access or modify other users' data
- Avoid automated scanning that could impact service availability
- Do not perform physical attacks on devices not owned by you
Exclusions
- Previously reported or known vulnerabilities
- Vulnerabilities in third-party services
- Social engineering attacks
- Denial of Service (DoS) attacks
- Spam or social media-based attacks
How to Report
To report a vulnerability, please include the following information:
- Description: Clear explanation of the vulnerability
- Impact: Potential security impact and affected components
- Steps to Reproduce: Detailed steps to recreate the issue
- Proof of Concept: Code, screenshots, or videos demonstrating the vulnerability
- Suggested Fix: If available, your recommendations for fixing the issue
All reports should be encrypted using our PGP key and sent to our security team. We aim to respond to all reports within 24 hours and will keep you updated throughout the remediation process.
Ready to Submit?
Send your vulnerability report to our security team
Submit Vulnerability Report
PGP Key available upon request for encrypted submissions
Legal Safe Harbor
We consider security research conducted in accordance with this policy as authorized conduct under the Computer Fraud and Abuse Act (CFAA) and will not pursue legal action against researchers who comply with this policy.
We will not pursue legal action against you if you:
- Comply with all the guidelines in this policy
- Report vulnerabilities in good faith
- Do not cause harm to our users or services
- Do not violate the privacy of our users