Trusted Firmware
Bounty Range
$1,000 - $20,000
external program
Trusted Firmware provides a reference implementation of secure software for Arm Armv8-A, Armv9-A and Armv8-M. It provides SoC developers and OEMs with a reference trusted code base complying with the relevant Arm specifications.
This Bug Bounty program rewards eligible vulnerability reports in the following Trusted Firmware projects:
Note: If you like this, you may also be interested in the Arm Bug Bounty Program at https://app.intigriti.com/company/programs/arm/arm/detail.
| Severity | CVSS Score | Tier 2 |
|---|---|---|
| Low | 0.1 - 3.9 | $1,000 |
| Medium | 4.0 - 6.9 | $3,000 |
| High | 7.0 - 8.9 | $10,000 |
| Critical | 9.0 - 9.4 | $20,000 |
| Exceptional | 9.5 - 10.0 | $20,000 |
Total Bounty Range: $1,000 - $20,000
By submitting your report, you agree to the terms of this Bug Bounty Program. Arm reserves the right to alter the terms and conditions of this program at any time and its sole discretion.
To be eligible for Arm's Trusted Firmware Bug Bounty Program, you must not:
Be a resident of, or make your submission from, a country against which the US, UK or EU has embargoed, sanctioned, or otherwise controlled/restricted (e.g., Cuba, Iran, North Korea, Sudan, Syria, Russia, etc.).
Be, be affiliated with or work for, an entity which the US, UK or EU has embargoed, sanctioned, or otherwise controlled/restricted.
Be legally prohibited from being rewarded by Arm, Trusted Firmware or Intigriti for any reason.
Be a current employee of a Trusted Firmware member company, its affiliates or subsidiaries, or an employee who has left employment of a Trusted Firmware member company, its affiliates or subsidiaries within the past 12 months.
Be an immediate family member of a current employee of a Trusted Firmware member company, its affiliates or subsidiaries, or an immediate family member of an employee who has left a Trusted Firmware member company, its affiliates or subsidiaries within the past 12 months.
Be less than 18 years of age.
Your relationship with Arm in the context of your participation in any Arm Program (as defined in the Researcher T&C) is exclusively governed by the law of England & Wales, and the courts of London, England, will have sole jurisdiction for any claims or disputes between you and Arm in the context thereof.
Arm considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute "authorized" conduct under criminal law. Arm will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.
Please note that Arm is not able to grant authority or safe harbor to researchers for any security vulnerability testing of third-party software or systems.
Vulnerability reports must:
be reproducible by Arm using either the main branch or a currently supported LTS branch of an in-scope project
exist in code that's intended for production deployment (e.g., code that is clearly marked as "experimental" or "examples" is out of scope)
contain a proof-of-concept demonstrating that the issue is exploitable and causes a meaningful security impact.
be exploitable using existing supported platform code.
Trusted Firmware projects that are not listed as in scope. Please submit vulnerability reports for other projects directly to Trusted Firmware.
Vulnerabilities identified in code marked as experimental, test code or other non-production code e.g. support tooling are out of scope of the program
Attacks that are outside the scope of the project's threat model
Vulnerabilities in platform-specific code for non-Arm products, e.g.:
Vulnerabilities in modifications or customisations of Trusted Firmware that do not exist in official Trusted Firmware repos.
Vulnerabilities in Trusted Firmware's web estate
Trusted Firmware's web infrastructure is hosted by Linaro. To report vulnerabilities in Trusted Firmware's web estate please follow the Linaro Security Incident Handling Process.
In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
Spam, social engineering and physical intrusion
DoS/DDoS attacks or brute force attacks
Vulnerabilities that only work on devices that no longer receive security updates
Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
Reports that state that software is out of date/vulnerable without a proof-of-concept.
The decision to grant a reward (bounty or bonus) for a vulnerability report, and the value of that reward (if any), is entirely within Arm's discretion. If we decide to offer a reward for a vulnerability report, the value of the reward will usually be based on the demonstrated impact and severity of the reported vulnerability.
Note: The maximum bounty that will be rewarded for vulnerabilities that are only exploitable by a Trusted Application (OP-TEE) or Secure Partition (TF-A & TF-M) is 'Low'.