Security

Our source code is publicly available and we actively collaborate with the security research community. If you believe you've discovered a vulnerability that could affect Frostsnap devices, software, or infrastructure, please report it to security - at - frostsnap.com .

Please encrypt sensitive matters: pgp.txt

PGP Fingerprint: 
F19C CCCD 876B 6E57 FB71  2206 A9D5 981F 42B0 EA50

We are particularly interested in vulnerabilities that could allow attackers to compromise the security of bitcoin managed by Frostsnap devices.

Devices & Firmware

This category is by far the most important to us, as the devices are the ultimate point of security in our threat model.

  • Key share extraction or injection
  • Bypassing user transaction confirmation
  • Arbitrary code execution without firmware warning
  • Defeating device encryption
  • Physical and supply chain attacks

Coordinator App

Our threat model assumes the host can be malicious—transactions must be confirmed on device displays. We still take these issues seriously.

  • Modification of data sent to or received from devices
  • Third-party library and supply chain vulnerabilities
  • Cross-site scripting with clear security impact

Web Infrastructure

  • Sensitive data exposure
  • Payment and order tampering
  • Server misconfigurations allowing unauthorized access

Out of Scope

  • Phishing or social engineering attacks
  • Missing security headers without proof of concept
  • Reports from automated scanners without demonstrated exploitability
  • Outdated libraries without significant, exploitable vulnerabilities

Responsible Disclosure

By submitting a vulnerability, you agree to provide us time to diagnose and resolve the issue before sharing details publicly. We will coordinate disclosure together.

  • Use exploits solely to verify the existence of vulnerabilities
  • Do not engage in testing that degrades our systems or impacts users
  • Do not exploit vulnerabilities beyond what is necessary to confirm them
  • Avoid unauthorized access, storage, or destruction of data

Submitting a Report

Email security - at - frostsnap.com. For sensitive matters, we can provide instructions for setting up a an encrypted channel.

Include:

  • Description of the vulnerability and its potential impact
  • Clear steps to reproduce, proof-of-concept.
  • Explanation of how it affects Frostsnap's security.
  • How you'd like to be credited (if at all)

Frostsnap is open source. You can deterministically build the device firmware to verify upgrades. Or contribute to the code! github.com/frostsnap

Contact

security - at - frostsnap.com