mbed TLS C Library Bug bounty program
Bounty programsWe believe in the power of the security researcher community to keep our mbed TLS C code secure. We encourage responsible disclosure of security vulnerabilities via our SSL library bug bounty programs described on this page.
mbed TLS C library
Our minimum payout is 250 EURO (or an equivalent in bitcoin) for reporting a previously unknown remote security vulnerability in the latest mbed TLS library (that is the C code) to us. We may award higher amounts based on severity or creativity of the vulnerability found. We will name and thank you in the ChangeLog distributed with the source code and in the Security Advisory if published.
We reserve the right to decide if the vulnerability meets the minimum severity threshold and whether it was previously reported.
In general, anything that allows remote attackers to get access to key data or plaintext data or to do a memory injection is of sufficient severity, including:
In general, the following would not meet the threshold for severity:
Found something? How to disclose?
You can disclose a vulnerability by clicking:
Please include (if possible):
Thanks for helping us keeping mbed TLS secure!