PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

mbed TLS C Library Bug bounty program

Bounty programs

We believe in the power of the security researcher community to keep our mbed TLS C code secure. We encourage responsible disclosure of security vulnerabilities via our SSL library bug bounty programs described on this page.

mbed TLS C library


Our minimum payout is 250 EURO (or an equivalent in bitcoin) for reporting a previously unknown remote security vulnerability in the latest mbed TLS library (that is the C code) to us. We may award higher amounts based on severity or creativity of the vulnerability found. We will name and thank you in the ChangeLog distributed with the source code and in the Security Advisory if published.


We reserve the right to decide if the vulnerability meets the minimum severity threshold and whether it was previously reported.

In general, anything that allows remote attackers to get access to key data or plaintext data or to do a memory injection is of sufficient severity, including:

  • Heap overflows
  • Buffer overflows
  • Remote code execution
  • Privilege escalation
  • Leaking of key information

In general, the following would not meet the threshold for severity:

  • Denial of service
  • Vulnerabilities in third party applications using mbed TLS

Other notices

  • You are responsible for any tax implications or local laws / rules that are relevant for your country.
  • Please give us the time to respond to you and fix the vulnerability before going public. We do our best to respond and fix any issues quickly. Afterwards, we encourage you to take your time and make a write-up about your findings in our source code!

Found something? How to disclose?

You can disclose a vulnerability by clicking:

Disclose a vulnerability

Please include (if possible):

  • Description and potential impact
  • Steps to reproduce the issue or a proof of concept
  • Name and link for attribution

Thanks for helping us keeping mbed TLS secure!