Skip to main content

Security Disclosure Policy

🔒 Security First: We take security seriously. If you discover a security vulnerability in our hardware wallet, firmware, or services, please report it responsibly.

Reporting Security Issues

How to Report

Email: security@pendle-v2.com

PGP Key: Available on request

Response Time: Within 24 hours

What to Include

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Your contact information
  • Any proof-of-concept code (if applicable)

Our Commitment

Response Timeline

  • Acknowledgment: Within 24 hours
  • Initial Assessment: Within 72 hours
  • Regular Updates: Every 7 days until resolved
  • Resolution Target: 90 days for critical issues

Protection for Researchers

  • We will not pursue legal action against responsible disclosure
  • We will work with you to understand and validate the issue
  • We will keep your identity confidential (if requested)
  • We may offer recognition in our security acknowledgments

Scope

In Scope

  • Hardware wallet firmware vulnerabilities
  • Cryptographic implementation issues
  • Physical hardware security flaws
  • Website and web application security
  • API security issues
  • Supply chain security concerns

Out of Scope

  • Third-party wallet application issues
  • Social engineering attacks
  • Physical theft or device loss
  • Issues requiring physical device modification
  • Denial of service attacks

Responsible Disclosure Guidelines

Do

  • Report vulnerabilities as soon as possible
  • Provide sufficient detail for reproduction
  • Allow reasonable time for fixes before public disclosure
  • Use encryption when sharing sensitive details

Don't

  • Publicly disclose before we've had time to fix
  • Access user data or modify systems beyond proof-of-concept
  • Perform testing that could affect other users
  • Demand payment or threaten public disclosure

Security Measures

Development Practices

  • Secure coding standards and review processes
  • Regular security audits by third parties
  • Penetration testing of firmware and systems
  • Secure development lifecycle implementation

Hardware Security

  • Secure element chip protection
  • Tamper-evident packaging
  • Hardware random number generation
  • Side-channel attack resistance

Recognition Program

We believe in recognizing security researchers who help make our products safer:

  • Hall of Fame: Public recognition (with permission)
  • Swag Program: Pendle hardware and merchandise
  • Coordination: We may coordinate with CVE numbering

Security Updates

When security issues are resolved, we will:

  • Release firmware updates promptly
  • Publish security advisories
  • Notify affected users directly
  • Provide upgrade instructions

Contact Information

Security Team

Email: security@pendle-v2.com

PGP: Request public key

Response: Within 24 hours

Thank You: Security researchers play a vital role in keeping our users safe. We appreciate your responsible disclosure and contribution to hardware wallet security.