imKey Vulnerability and Threat Intelligence Bounty Program

Project Overview

imKey provides blockchain security products and solutions. Founded in 2018, imKey’s core team members come from blockchain wallet, financial institutions, and secure hardware industries, with complementary expertise in embedded security and cryptocurrency. From the beginning, imKey received angel investment from the globally renowned blockchain wallet imToken, and has been dedicated to research in the field of crypto asset security.

Scope of Work

• Websites and Applications: *.imkey.im
   
• Source Code (GitHub): 
  • https://github.com/consenlabs/imkey-core
     
  • https://github.com/consenlabs/imkey-manager
     
• Physical Hardware: imKey Hardware Wallet
   

Reward Rules

The bounty amount will be determined by the imKey team based on factors such as severity, qualification, and impact.

• Publicly disclosed vulnerabilities are not eligible for a bounty. Submissions must be sent via support@imkey.im.
   
• If a vulnerability has already been reported or is known, it will not qualify for rewards.
   
• Documentation or reproducible steps are required to validate the reported issue.
    

Reward Tiers

Additional Evaluation Criteria

Besides severity, the following factors also influence the bounty amount:

• Clear and detailed description of the vulnerability
• Reproducible test code or instructions
• Clear suggestions or methods to fix the issue

Reporting Guidelines

• Rewards are given only if the imKey Security Team can reproduce and verify the issue and confirm a clear security impact.
   
• Reproduction steps must be clear and specific — screenshots, videos, or scripts are encouraged.
   
• Do not engage in social engineering or phishing.
   
• Do not disclose vulnerability details publicly.
   
• Avoid large-scale scanning using automated tools; any resulting system or network damage will be handled according to law.
   
• During testing, avoid directly modifying pages, creating continuous pop-ups, stealing cookies, or retrieving sensitive payloads (use DNSLog for blind XSS validation).
   
• Testing must remain proof-of-concept (PoC) only — destructive testing is strictly prohibited. Any accidental damage must be reported immediately.
   
• Sensitive operations (deletion, modification, etc.) performed during testing should be clearly documented in the report.
   

Handling Process

Reporting Stage
The reporter contacts the imKey team via email or official submission channel. (Status: Pending Review)

• Email: support@imkey.im

Processing Stage

• Within 3 business days, imKey confirms receipt and begins evaluation, forwarding details to the technical team. (Status: Under Review)
• Within 7 business days, the imKey Technical Team assesses and scores the issue. (Status: Confirmed / Ignored)
• The reporter may be contacted for clarification.
   

Fixing Stage

• The imKey product team fixes verified issues and schedules deployment. (Status: Resolved)
• Fix timelines depend on severity: 
  • Critical / High: within 24 hours
     
  • Medium: within 3 business days
     
  • Low: within 7 business days
     
  • Client-side issues depend on app release schedules.
     
• The reporter reviews and confirms whether the fix is effective. (Status: Verified / Disputed)
   
• Once confirmed, the imKey Technical Team communicates the results and bounty score to the security partner (PeckShield) for reward distribution. (Status: Closed)
    

Reward Distribution Principles

• Rewards will be paid in cryptocurrency equivalent to USD value.
   
• Supported stablecoins: USDT, USDC

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.