Remove BTC address, as it bounty are not rewarded from a fixed addres…

…s anymore
Ledger-Donjon · Jul 31, 2024 · 2e974e5 · 2e974e5
1 parent 73306f4
commit 2e974e5
Showing 1 changed file with 1 addition and 10 deletions.
diff --git a/bounty.md b/bounty.md
@@ -6,12 +6,10 @@ permalink: /bounty/
 
 Ledger believes in better security through openness. We welcome and value technical reports of vulnerabilities that could substantially affect the confidentiality or integrity of user data on Ledger devices or the security of our infrastructure. If you believe that you have discovered such a vulnerability, please report it at `bounty -at- ledger.fr` ([GPG key](/assets/ledger-bounty.asc) if necessary). The Ledger Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.
 
-
 ## Eligibility
 
 Ledger Bug Bounty Program covers our hardware devices as well as our web services.
 
-
 ### Devices Bug Bounty Program 📟
 
 We are mainly interested in vulnerabilities that would eventually allow attackers to steal crypto assets from Ledger devices.
@@ -33,7 +31,6 @@ Examples of vulnerabilities that are in-scope:
 - Bypass of user confirmation to issue a transaction
 - Sensitive memory leak
 
-
 ### Web Bug Bounty Program 🌐
 
 We are interested in critical vulnerabilities in our infrastructure. In a nutshell, we are interested in real vulnerabilities, not in output of automated scanners. **Due to the large amount of emails received daily, we might not be able to respond to all reports for out-of-scope vulnerabilities.**
@@ -62,7 +59,7 @@ Specifically we are interested in the following kinds of information:
 
 - We are interested in any new information, legally obtained, allowing us and law enforcement to identify and successfully prosecute those responsible for attacks on Ledger and its customers.
 
-We have created a 10 BTC fund for any information leading to successful arrest and prosecution ([`zpub6reAqYxz5rB2ydBuj4mxmusUqiSu7TqkzATtE4DaYhTUuPzWmgTorTrPYygJa8A4aq1hSERQmwZT2KVH9Mc7Nn8amcPmTsqQgzkEBvjwDym`](https://blockpath.com/search/addr?q=zpub6reAqYxz5rB2ydBuj4mxmusUqiSu7TqkzATtE4DaYhTUuPzWmgTorTrPYygJa8A4aq1hSERQmwZT2KVH9Mc7Nn8amcPmTsqQgzkEBvjwDym)).
+We have created a 10 BTC fund for any information leading to successful arrest and prosecution.
 
 To submit your bounty information, please use **bounty-phishing - at - ledger.com**.
 
@@ -82,7 +79,6 @@ In identifying potential vulnerabilities, we ask that all security researchers s
   - May impact Ledger users, such as denial of service, social engineering or spam.
 - Do not exploit vulnerabilities on our infrastructure. The Bounty Program is about improving security for Ledger users, not deliberately trying to put the community at risk.
 
-
 ## Submission Process
 
 Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.
@@ -97,7 +93,6 @@ The Ledger Security Team will be in touch, usually within 24 hours.
 
 When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Ledger’s prior written approval.
 
-
 ## Remediation & Disclosure
 
 After triage, we will send a quick acknowledgement and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information or your qualification for a reward.
@@ -108,7 +103,6 @@ Once the security issue is fixed or mitigated, the Ledger Security Team will con
 
 Ledger has a 90-day disclosure policy, which means that we do our best to fix issues within 90 days upon receipt of a vulnerability report. If the issue is fixed sooner and if there is mutual agreement between the security researcher and the Ledger Security Team, the disclosure might happen before the 90-day deadline.
 
-
 ## Reward
 
 You may be eligible to receive a reward if:
@@ -131,12 +125,10 @@ To be eligible for a reward, you must not:
 - Be an immediate family member of a person employed by Ledger or its subsidiaries or affiliates,
 - Be less than 18 years of age. If you are under 18 years old, or considered a minor in your place of residence, you must get your parents’ or legal guardian’s permission prior to participating in the program.
 
-
 ## Hall of Fame
 
 In mutual consultation, we can, if you desire, display a researcher’s name or its pseudonym as the discoverer of the reported vulnerability on our website’s [Hall of Fame](/hall-of-fame/). Please note that the Hall of Fame is dedicated to the Devices Bug Bounty Program.
 
-
 ## Code of Conduct
 
 - Be kind.
@@ -147,7 +139,6 @@ In mutual consultation, we can, if you desire, display a researcher’s name or
 
 Violations of this Code of Conduct can result in a warning and/or ban of this Bug Bounty Program.
 
-
 *This is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.*
 
 *Parts of the program are inspired by [Dropbox Bug Bounty Program](https://hackerone.com/dropbox) and [HackerOne Code of Conduct](https://www.hackerone.com/policies/code-of-conduct).*