The ESP32 Security Bug Bounty Program (USD $200 ~ $3,600)

[Faye]

Important Note: The Bug Bounty Program described below is now ARCHIVED and OUTDATED. Please see the updated program post below.
The ESP32 Security Bug Bounty Program

PROGRAM DESCRIPTION
Espressif is pleased to launch the ESP32 Security Bug Bounty Program with immediate effect from Mar. 30th, 2017 onwards.
We will offer US$500 to any developer reporting a previously unknown security-related bug in our latest ESP-IDF. $1729 more for proof of concept!

WHAT CONSTITUTES AN ELIGIBLE BUG REPORT?
In the following links you can find more details about our ESP-IDF Programming Guide, particularly about Security Function, Flash Encryption and Secure Boot. Bugs irrelevant to security are not included in the Bug Bounty Program.
Also, developers should focus only on the latest version of our ESP-IDF.

If multiple developers happen to report the same bug, the award will be given to the first one who files a bug report.

HOW DO I REPORT A BUG?
Fill in the attached form and send it to bugbounty@espressif.com. Full details about the bug are required, including bug name, bug description, the ESP-IDF version in which it was found, relevant hardware information, test steps, reference codes, log output, and any other information deemed necessary for identifying and verifying the reported bug.

ESP32 BUG REPORT TEMPLATE.docx

(9.71 KiB) Downloaded 2923 times

We cannot accept responsibility for reports not properly sent. Incomplete or false reports will not be accepted. We may ask for clarifications if needed. 

I’VE REPORTED A BUG, NOW WHAT?

1. You will receive an email acknowledging the receipt of your bug report.
2. Then, our engineers will review your report and validate its eligibility. The duration of reviewing may vary, depending on the complexity and completeness of your report, as well as number of bug reports we receive. In any case, you will get an update on the bug, as we shall respond to you personally and fix any confirmed vulnerability before going public.
3. Upon bug verification, we shall contact you, asking to provide us with all necessary information that will facilitate your payment for eligible bug reports.
4. For eligibility, bugs must not be disclosed publicly until after Espressif engineers have responded and produced fixes for any issues if necessary.

BOUNTY PAYMENTS
In general, we shall make payments via bank transfer. Award recipients are responsible for dealing with any tax implications or local laws, rules and regulations applicable to their country/ state/ province.

RIGHTS RESERVED
Espressif reserves the right to decide whether the bug report is valid. Decisions made by Espressif are final and binding.

We look forward to your participation!

bug_bounty.jpg (55.91 KiB) Viewed 85652 times

重要提示：下方的漏洞赏金计划现已作废。请参阅下面更新后的计划。
ESP32 Security Bug 赏金计划

计划简介：

乐鑫很高兴宣布启动 ESP32 Security Bug 赏金计划，于 2017 年 3 月 30 日正式生效。
我们将针对 ESP-IDF 为每个判定有效的 Security Bug 支付 500 美金，如果能提供验证测试 (POC) 则奖金高达1729 美金，以鼓励开发者使用并反馈乐鑫官方发布的 ESP-IDF 中存在的未知 Security 相关问题。

ESP32 Security Bug 赏金计划细则如下：

什么是有效的 Security Bug?

它首先是一个 Security 功能相关的 Bug。Security 功能详解，请参考 ESP-IDF 的 Flash Encryption 和 Secure Boot 说明。
与 Security 功能无关的 Bug 目前并不在赏金计划内。
它来自乐鑫最新发布的 ESP-IDF。
它是未知的。这意味着这个 Bug 在官方 ESP-IDF 发布时没有被公开，或者在您上报之前没有其他开发者反馈过这个 Bug。

我要如何上报 Bug?

请填写附件表格，并将其反馈至 bugbounty@espressif.com 。您需要提供问题相关的详细信息，包括 Bug 名称、ESP-IDF 版本号、硬件模块信息、Bug 描述、详细的测试流程、参考代码、log 输出及其它必要信息。

ESP32 BUG REPORT TEMPLATE.docx

(9.71 KiB) Downloaded 2923 times

如因意外情况未能收到您的邮件，或您反馈的 Bug 不完整以致无法准确识别的，我们将不予采纳。如有需要，我们会跟您联系，希望您能对问题作出清晰的说明。

我已经上报了发现的 Bug，然后呢？

1. 您将会收到我们的邮件，告诉您我们已经收到了您的问题反馈。
2. 我们工程师将对您反馈的 Bug 进行测试，并验证其有效性，请允许我们与您取得联系以获取更多信息。
3. 审核时间因上报问题的复杂性和信息完整性，以及我们收到的反馈数量会有所差异，但我们始终会及时向您更新我们的进展。
4. 为了保障 BBP 的有效性，烦请您不要提前公开问题内容，我们将对您反馈的问题进行验证并及时解决。

赏金支付
我们会通过银行转账来支付您的赏金。
您需要按您所在国家的法律法规支付相关的税费。

保留权利
乐鑫保留判定反馈的 Bug 是否有效的权利。乐鑫对此的判定是最终且具有约束力的。

乐鑫 ESP32 Security Bug 赏金计划，我们真诚期待您的参与！

[ESP_Rachel]

The ESP32 Security Bug Bounty Program

PROGRAM OVERVIEW

To better align with the evolving security landscape and our optimized response workflows, the Espressif Security Bug Bounty Program has been revised, effective May 20, 2026. This initiative reflects our ongoing commitment to product security and our deep appreciation for the global research community.

1. Reward: Bug bounty rewards typically range from USD $200 to $3,600 depending on severity and impact. Final reward amounts are at Espressif’s sole discretion.
2. Acknowledgment: Espressif aims to acknowledge receipt within 7 business days and provide a tracking reference ID for your submission.
3. Timeline: Per the ESIRP: Evaluation ~4 weeks, Corrective Actions ~8 weeks, Public Disclosure ~12 weeks from report. Actual timelines may vary depending on severity and complexity.
4. Disclosure: Espressif follows a coordinated vulnerability disclosure process (~90 days). Reporters agree not to disclose publicly before Espressif releases advisories and/or fixes.
5. Safe Harbor: Espressif will not pursue legal action against security researchers who report vulnerabilities in good faith, comply with this program’s terms, and follow the coordinated disclosure process.
6. Out of Scope: Vulnerabilities in third-party libraries, third-party services not operated by Espressif, example-only code (unless the same pattern exists in production SDK), and issues in software outside the longevity commitment period.

HOW TO REPORT A SECURITY ISSUE?

Download and fill out the Espressif_Security_Vulnerability_Report_Form_v1.1.pdf

Send the completed form along with any technical write-ups, logs, or Proof of Concepts (PoCs) to: bugbounty@espressif.com

Note: Incomplete, vague, or false reports will not be accepted. Espressif may request additional clarification or evidence during the reproduction phase if necessary. To ensure the effectiveness of this program, please do not publicize any issues without prior notice to Espressif. Additionally, all vulnerability details must remain strictly confidential until Espressif has officially released the patches or security advisories.

BOUNTY PAYMENTS

Payments are generally made via bank transfer.

Recipients are responsible for any applicable taxes and compliance with local laws and regulations.

RIGHTS RESERVED

Espressif reserves the right to determine whether a bug report is valid. All decisions made by Espressif are final and binding.

We look forward to your participation!

ESP32 Security Bug 赏金计划

计划简介

为更好地适应不断变化的安全环境，并配合优化后的安全响应流程，乐鑫 Security Bug 赏金计划已更新，并于 2026 年 5 月 20 日正式生效。本计划体现了乐鑫对产品安全的持续投入，以及对全球安全研究社区的诚挚感谢。

1. 奖励范围： 根据漏洞严重程度与实际影响，奖励金额通常为 200 美金至 3600 美金。最终奖金由乐鑫决定。
2. 确认回复： 乐鑫将在收到报告后的 7 个工作日内完成确认，并为提交的问题分配跟踪编号（Tracking ID）。
3. 处理周期： 根据 ESIRP 流程：问题评估约 4 周、修复阶段约 8 周、公开披露约 12 周。实际周期可能因问题复杂度与影响范围有所调整。
4. 披露原则： 乐鑫遵循协调式漏洞披露流程（约 90 天）。在乐鑫发布安全公告和/或修复方案前，提交者不得提前公开漏洞信息。
5. 安全港原则： 对于善意提交漏洞、遵守本计划条款并配合协调披露流程的安全研究人员，乐鑫不会采取法律行动。
6. 不在奖励范围内： 第三方库漏洞、非乐鑫运营的第三方服务问题、仅存在于示例代码中的问题（除非同类问题存在于正式 SDK 中），以及已超出长期维护周期的软件问题。

如何提交 Security 漏洞报告？

请下载并填写：Espressif_Security_Vulnerability_Report_Form_v1.1.pdf

并将填写完成的表格，以及相关技术分析、日志、或 Proof of Concept（PoC）发送至：bugbounty@espressif.com

注意：内容不完整、描述模糊或虚假的报告将不被受理。在漏洞复现阶段，如有需要，乐鑫可能会要求补充说明或进一步证据。为保证本计划的有效性，请勿在未提前通知乐鑫的情况下公开任何问题。此外，在乐鑫官方正式发布修复补丁或安全公告之前，所有漏洞细节均须严格保密。

赏金支付

赏金通常通过银行转账方式支付。

提交者需自行遵守所在地相关法律法规，并承担可能涉及的税务责任。

保留权利

乐鑫保留对漏洞有效性的最终判定权，所有决定均为最终且具有约束力。

乐鑫真诚期待您的参与！