Responsible Disclosure

Report security vulnerabilities privately. Gem Wallet no longer operates a standing monetary bug bounty program, but good-faith, reproducible vulnerability reports remain welcome.

Effective June 2, 2026, Gem Wallet no longer operates a standing monetary bug bounty program. Responsible disclosure remains open, and we continue to welcome good-faith, reproducible reports that help protect Gem Wallet users.

We are making this change because modern AI-assisted tooling has changed the economics of vulnerability reporting. High-quality reports are valuable, but open-ended bounty incentives also attract speculative, duplicate, and low-signal submissions that require significant engineering review before they can be dismissed. That time is often better spent on audits, remediation, release hardening, and direct security improvements.

Reports submitted before June 2, 2026 will be handled under the bounty terms that applied at the time of submission. New reports submitted on or after June 2, 2026 are not eligible for a standing bounty payout unless Gem Wallet has separately agreed to a private engagement in writing.

In Scope

  • Private key extraction or exposure
  • Key generation weaknesses (RNG, WalletCore, keystore)
  • Seed import/export vulnerabilities (clipboard, encryption)
  • Derivation path manipulation (BIP32/44/49/84)
  • Transaction signing flaws (domain separation, deterministic signing)
  • Authentication bypasses (biometric, PIN)
  • Storage encryption weaknesses
  • Memory leaks exposing sensitive data
  • Any vulnerability leading to loss of funds, secret phrase exposure, or privacy breaches

Out of Scope

The following are not eligible for rewards:

  • Social engineering, phishing, physical attacks, or Denial of Service (DoS/DDoS)
  • Vulnerabilities requiring rooted/jailbroken devices or outdated app versions
  • Network-level attacks (Man-in-the-Middle, DNS spoofing, WiFi attacks)
  • Third-party services, APIs, blockchain protocols, smart contracts, or dependencies without direct Gem Wallet impact
  • WalletConnect (protocol, SDK, and related integrations)
  • Known/duplicate issues, automated scanner output, or theoretical vulnerabilities without proof of concept
  • Low-impact issues (self-XSS, unlikely user interaction, information disclosure without security impact, rate limiting)
  • Public disclosure before coordinated fix, or unauthorized production testing

Out of Scope Domains

  • support.gemwallet.com
  • status.gemwallet.com

Scope

Apps

Only the latest publicly available versions of our apps are eligible. Vulnerabilities found in outdated versions are not in scope.

Repositories

Domains

  • gemwallet.com
  • api.gemwallet.com
  • gemnodes.com

Recognition

Gem Wallet may, at its sole discretion, credit researchers for valid reports after remediation, unless the reporter prefers to remain anonymous. We may also invite selected researchers into private, scoped security reviews or paid audit work when there is a clear need and a defined engagement.

There is no guaranteed monetary reward for new responsible disclosure reports.

Eligibility

  • Gem Wallet determines validity and severity at its sole discretion
  • Only the first reporter of a previously unknown issue is eligible for public credit or any separately agreed recognition
  • Employees, contractors, and their family members are ineligible
  • Testing must be conducted in good faith and comply with all applicable laws

Responsible Disclosure

We follow a coordinated disclosure process to protect our users:

  • Do not publicly disclose vulnerabilities before they are fixed - allow us reasonable time to address the issue
  • We’ll keep you updated on the progress when the report is valid and actionable
  • We may publish security advisories for critical issues after they’re resolved

By participating in good faith security research, you help us protect millions of crypto users worldwide.

Submission

If you believe you’ve found a valid security vulnerability, please report it to security@gemwallet.com with detailed steps to reproduce the issue. We respond to security reports within 24-48 hours.

All submissions must include a proof of concept against the latest public Gem Wallet iOS or Android app, or another in-scope production service where applicable. Reports based only on source code, isolated libraries, unused code paths, or theoretical reachability are not sufficient unless the proof of concept demonstrates that the affected code is reachable and security-impacting in an in-scope app or service.

If the issue was found, validated, or triaged with AI agents or AI-assisted tools, your report must identify the AI model names and versions used, and include the prompts used to discover or analyze the issue.

For AI-agent or AI-assisted findings below Critical severity, reports should include a proposed fix or remediation plan along with a proof of concept that reproduces the issue and demonstrates the impact. Do not open public pull requests or issues that disclose exploitable details before coordinated disclosure.

For general questions or non-security issues, visit docs.gemwallet.com or contact support@gemwallet.com.