IOTA Trinity Wallet

  • Points – $1,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

9 vulnerabilities rewarded

Validation within about 17 hours
75% of submissions are accepted or rejected within about 17 hours

$183.33 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

IOTA Foundation ( is a not-for-profit foundation based in Berlin, Germany with the mission to support the development and standardisation of new distributed ledger technologies (DLT). To drive the future economy of interconnected and autonomous devices, the IOTA Founders established the Foundation and developed the ideas behind the Tangle architecture. The IOTA Tangle is an innovative type of DLT specifically designed for large scale transactions and the Internet of Things (IoT) environment.

We are inviting researchers to test our latest Mobile and Desktop wallet: Trinity. It is aimed at non-technical consumers of IOTA technology, allowing them to access the network with a simple and fool-proof UI. The application has been developed using React Native for iOS and Android as well as Electron for Windows, Mac Os and Linux.

We hope this program helps deliver a safer wallet to the consumers of IOTA technology.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated

Technical severity Reward range
p1 Critical Up to: $1,500
p2 Severe Up to: $900
p3 Moderate Up to: $300
p4 Low Up to: $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type
IOTA Desktop Client (all Operating Systems) Other
IOTA Android Client Android
IOTA iOS Client iOS

Any domain/property of the IOTA organization not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Information

Mobile Targets:
Apple iOS: Signup to TestFlight
Android: Become Play tester

Desktop Targets:
Binaries can be downloaded here

Mono-repo Source Code
Github link


The applications are built to be standalone, they do not require any servers from the IOTA Foundation to run.

They have a pre-populated list of IOTA nodes to enable a quick start for new users. This can be changed in the settings. If you would like to run you own node to connect with the Trinity wallet you can follow a tutorial here.

Any contact forms or issue submission functions within the app are live. However, it is best to submit through this platform.


The application can be used without credentials provided by following the internal setup process. However, upon request, researchers will be provided with one SEED that contains 40Ki of IOTA tokens (see below for obtaining a seed).

These tokens are real and are valid on the main IOTA network. This is equal to 40,000 tokens, which is roughly $0.6 USD. The minimum amount that can be sent on the network is 1 token and there are no fees. So you will be able to send these tokens back and forth between multiple wallets.

Each researcher will be given one SEED - please follow the guide below to obtain credentials.

1.) To request access to the program, first log into your Bugcrowd researcher account.

2.) Once signed in, please email to request credentials.

  • Please use the subject line '@@@@Iota Credential Request@@@@'.

3.) Bugcrowd will distribute your seed/wallet as quickly as possible.

  • Please allow 24 business hours (PST) for your access to be granted.

Focus Areas

The applications core functionality is three fold:

  • Read wallet balance & history
  • Create and broadcast IOTA transactions to the Tangle
  • Store the SEED/s for the wallet in a safe manner.

Ensuring the security of these functions is of the greatest importance to the Foundation and ultimately the users of the wallet.

We have had two audits completed on the wallet before Beta release. You are able to find details on them here and mitigations of these here

Excluded from Rewards

  • Protocol bugs that are unrelated to the Trinity wallet.


  • Addresses that aren't derived from a SEED you own.
  • Other users testing the Alpha of the Desktop or the Beta of the Mobile software
  • IOTA Network consensus
  • IOTA Network confirmation
  • Any distribution channels. Play Store, Apple Store, Download link for Desktop.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.