Skip to main content

Security Vulnerability Disclosure

DO NOT create public GitHub issues for suspected security vulnerabilities.

Reporting Security Issues

If you discover a security vulnerability in Trezor Suite or Connect:
1

Contact Security Team

Email your findings to [email protected]Include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)
2

Wait for Response

The security team will:
  • Acknowledge receipt within 48 hours
  • Assess the severity
  • Determine fix timeline
  • Keep you informed of progress
3

Responsible Disclosure

Please allow time for:
  • Investigation and validation
  • Development of fix
  • Testing and deployment
  • Public disclosure coordination
Do not publicly disclose until coordinated with the security team.
4

Recognition

Security researchers are recognized in:
  • Security advisories
  • Release notes
  • Hall of fame (if applicable)
For more details, see the disclosure section on Trezor.io.

Security Best Practices

For Developers

Critical Rule: Private keys must NEVER leave the Trezor device.
// ✅ CORRECT: Use signing methods
const result = await TrezorConnect.signTransaction({
  inputs: [...],
  outputs: [...]
});

// ❌ WRONG: Never try to export private keys
// There is no method to export private keys - by design!
Why it matters:
  • Trezor’s security model relies on keys never leaving device
  • Exporting keys defeats the purpose of hardware security
  • If you need to sign something, use the appropriate signing method
Always show addresses on the device display:
const result = await TrezorConnect.getAddress({
  path: "m/49'/0'/0'/0/0",
  coin: 'btc',
  showOnTrezor: true  // ✅ Always true for receiving addresses
});
Why it matters:
  • Protects against malware showing fake addresses
  • User can verify on trusted device screen
  • Only source of truth is the device display
Always serve your application over HTTPS:
// ✅ Production: HTTPS required
const manifest = {
  email: '[email protected]',
  appUrl: 'https://example.com'
};

// ⚠️ Development only: HTTP acceptable for localhost
const devManifest = {
  email: '[email protected]',
  appUrl: 'http://localhost:3000'
};
Why it matters:
  • Prevents man-in-the-middle attacks
  • Protects user data in transit
  • Required for WebUSB API in browsers
Always validate transaction parameters:
function validateTransaction(tx) {
  // Validate recipient address
  if (!isValidAddress(tx.recipient, tx.coin)) {
    throw new Error('Invalid recipient address');
  }
  
  // Validate amount
  if (tx.amount <= 0) {
    throw new Error('Amount must be positive');
  }
  
  if (isNaN(tx.amount)) {
    throw new Error('Amount must be a number');
  }
  
  // Check for suspicious amounts
  if (tx.amount > getMaxReasonableAmount(tx.coin)) {
    // Warn user about large transaction
    return confirm(
      `Large amount detected: ${tx.amount} ${tx.coin}. Continue?`
    );
  }
  
  return true;
}
Handle errors securely without leaking information:
async function secureTransaction(params) {
  try {
    const result = await TrezorConnect.signTransaction(params);
    
    if (!result.success) {
      // Log detailed error for debugging
      console.error('Transaction failed:', result.payload);
      
      // Show user-friendly message (don't leak internals)
      showUserMessage(
        'Transaction failed. Please check your device and try again.'
      );
      
      return null;
    }
    
    return result.payload;
  } catch (error) {
    // Log error but don't expose details to user
    console.error('Unexpected error:', error);
    showUserMessage('An unexpected error occurred.');
    return null;
  }
}
Always sanitize and validate user input:
function sanitizeAddress(address) {
  // Remove whitespace
  address = address.trim();
  
  // Remove common copy-paste artifacts
  address = address.replace(/\s+/g, '');
  
  // Validate format
  if (!isValidAddressFormat(address)) {
    throw new Error('Invalid address format');
  }
  
  return address;
}

function sanitizeAmount(amount) {
  // Convert to number
  const num = parseFloat(amount);
  
  // Validate
  if (isNaN(num) || num <= 0) {
    throw new Error('Invalid amount');
  }
  
  // Prevent floating point precision issues
  return Math.round(num * 100000000) / 100000000;
}

For Users

Always verify critical information on your Trezor device screen:
  • Receiving addresses
  • Transaction amounts
  • Transaction recipients
  • Contract interactions
Never trust what you see only on your computer screen.
Only download Suite from official sources:Verify:
  • HTTPS connection
  • Valid SSL certificate
  • Correct domain name
For desktop applications, verify signatures:Windows:
  • Check digital signature of .exe file
  • Verify signer: SatoshiLabs
macOS:
  • Check code signature
  • Verify developer: SatoshiLabs
Linux:
  • Verify GPG signature
  • Check SHA256 hash
Always use the latest versions:
  • Device Firmware: Update when prompted
  • Trezor Suite: Enable auto-updates
  • Browser: Use latest version
Updates include:
  • Security patches
  • New features
  • Bug fixes
Your recovery seed is the master key:DO:
  • Write it on the provided card
  • Store in a safe location
  • Consider metal backup for fire/water resistance
  • Use Shamir Backup for advanced security
DON’T:
  • Store digitally (photos, files, cloud)
  • Share with anyone
  • Enter into computer or phone
  • Store with your Trezor device

Security Features

Device Security

Hardware Isolation

Private keys never leave the device. All signing happens in the secure element.

PIN Protection

Device is locked with PIN. Wipes after multiple failed attempts.

Passphrase Support

Additional layer of security through BIP39 passphrase.

Screen Verification

All critical data displayed on trusted device screen.

Software Security

Open Source

All code is open source and auditable on GitHub.

Encrypted Communication

All device communication is encrypted end-to-end.

No Data Collection

Private keys and transaction details never leave your device.

Regular Audits

Regular security audits by independent firms.

License and Usage

The Trezor Suite monorepo is licensed under the TREZOR REFERENCE SOURCE LICENSE (T-RSL).

Key Points

You may use the software within your company as a reference for:
  • Debugging your products
  • Maintaining your products
  • Enhancing interoperability with Trezor
Restrictions:
  • Read-only use
  • Cannot distribute outside your company
  • Reference purposes only
Non-transferable, non-exclusive, worldwide, royalty-free patent license for reference use.
  • No trademark license
  • Software is “as-is” with no warranties
  • Patent litigation terminates license
See the complete LICENSE for full legal text.

Security Resources

Report Vulnerability

Contact security team

Security Center

Trezor security information

Best Practices

Development best practices

GitHub Security

GitHub security policy
Security is a shared responsibility. Developers should follow best practices, and users should verify all critical operations on their device screen.

Build docs developers (and LLMs) love

Get started for freeTalk to us