A new Bug Bounty Program for Trusted Firmware!
The Trusted Firmware project is pleased to share that several of its projects have been included in a new Trusted Firmware Bug Bounty Program, which is being provided and operated by Arm.
Trusted Firmware projects form essential building blocks for secure boot, trusted execution, and cryptographic operations across a wide range of Arm-based platforms. Arm’s decision to include them in the Bug Bounty program for Trusted Firmware demonstrates the importance of proactive, community-driven security across the ecosystem and the significance of these projects as foundational to the security of the Arm ecosystem.
The following projects are included in the program:
- TrustedFirmware-A (TF-A): Provides secure boot, firmware lifecycle management and runtime services for Armv8-A and Armv9-A architectures.
- TrustedFirmware-M (TF-M): Offers a PSA-compliant secure processing environment for Arm Cortex-M systems, including secure boot, attestation and crypto services.
- OP-TEE: A popular open-source Trusted Execution Environment enabling isolated execution of trusted applications on Armv8-A systems.
- Mbed TLS & TF-PSACrypto: Mbed TLS is a C library that implements X.509 certificate manipulation and the TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems. Mbed TLS includes the TF-PSA-Crypto repository that provides an implementation of the PSA Cryptography API.
As open-source reference implementations and security libraries, these projects are widely integrated by silicon vendors, OEMs and developers. Also because these components sit at the root of trust for many products, improving their resilience benefits the entire ecosystem.
Security researchers who identify issues in the in-scope projects can report them to the Bug Bounty Program for Trusted Firmware, which is hosted on the Intigriti platform. Reports will be jointly assessed by Arm’s Product Security Incident Response Team (PSIRT) and the Trusted Firmware security team, with qualifying issues being eligible for financial rewards based on severity and impact.
More information
The Trusted Firmware project encourages security researchers, contributors and integrators to explore a broad range of security areas, including secure boot flows, isolation boundaries, privilege transitions, cryptographic implementations and protocol handling.
Participation guidelines, scope details, reward information and the submission form are available here.
The Trusted Firmware project welcomes the continued collaboration of researchers and partners, as we work together to enhance the security of the ecosystem.
About the Linaro Community Projects Division
The Trusted Firmware project is hosted by Linaro Community Projects Division - the division of Linaro managing open source community projects with open governance. Linaro empowers rapid product deployment within the dynamic Arm ecosystem.
