Shop
Security philosophy

What we defend against. What we can't.

Honest security starts with an honest threat model. Here's the specific set of attacks a ChinaBridge device is engineered to resist, the failure modes we can't engineer away, and how we handle vulnerabilities when they are found.

Threat model

Designed for, not designed against.

What we defend against

Engineered to resist

  • Phishing & address-swap malware. Even if your host is compromised, the device renders the true transaction — the destination address, amount, and fee — on a screen no browser can spoof.
  • Exchange collapse and custodial freezes. Keys you control cannot be withheld by a failed exchange, a frozen account, or a bankruptcy estate.
  • Hot-wallet malware and browser extensions. Private keys never exist on your computer. A compromised extension can request a signature; only a physical press on the device releases one.
  • Supply-chain tampering. Tamper-evident holographic seals, factory-attested secure elements, and on-boot firmware verification catch interception between our factory and your door.
  • Remote key extraction. The secure element performs signing in-chip; there is no electrical path out that carries the key.
What we can't

Where we cannot help

  • You lose your recovery phrase. The phrase is the wallet. If it is gone — burned, flooded, misfiled — no one, including ChinaBridge, can recover your funds. We do not keep a copy. This is a feature, not a failure.
  • You share your recovery phrase. A phrase typed into a "support" website, a screenshot in cloud storage, a phrase dictated over the phone — all are game over. We will never ask for your phrase, under any circumstances.
  • Physical coercion. If someone is physically compelling you to unlock your device, no hardware alone can prevent a signature. The Fortress hidden-wallet feature exists to mitigate this specific threat: you can unlock a decoy wallet and leave the bulk of funds invisible.
  • Confirming a fraudulent transaction. If the address and amount on screen are the ones you meant to send, and you press confirm, the transaction is valid. Read the screen before the press.
  • Market volatility, chain outages, protocol failures. We secure your keys. We have no control over what happens to the assets those keys sign for.
Responsible disclosure

A paid bug bounty, because we'd rather you tell us.

If you believe you have found a vulnerability in ChinaBridge hardware, firmware, or infrastructure, report it privately to [email protected]. Include a proof-of-concept, affected firmware version, and any suggested remediation. We will acknowledge within 48 hours and coordinate a disclosure timeline with you.

Our PGP key fingerprint for encrypted reports is 8FA2 19B4 7C3D E8B1 5FAA · 2193 D41C 7B8E 0F66 A2D9.

Bounty ranges

Severity Examples Reward
Critical Remote extraction of private keys; arbitrary remote signing without physical confirmation; bypass of secure-element isolation. $50,000 – $500,000
High Local key extraction with brief physical access; full bypass of PIN or fingerprint; bypass of tamper-evident attestation at scale. $20,000 – $75,000
Medium Denial-of-service that requires factory reset; BT pairing flaws that reduce the security of a signing session; side-channel information leakage. $5,000 – $20,000
Low UI spoofing with user interaction; firmware update flaws requiring physical access; non-security-impacting logic bugs in critical paths. $500 – $5,000

We honour safe-harbour for good-faith research. Reward ranges reflect the reproducibility, specificity, and novelty of the finding; a complete report with a working proof-of-concept trends toward the top of the range. We publicly credit researchers who want to be named.

Advisory archive

Past advisories, published.

We publish every confirmed security finding, regardless of severity, once a fix has shipped. Nothing here has resulted in a confirmed loss of customer funds.

CBA-2025-04
BT pairing nonce reuse under race condition
Medium · CVSS 5.8 Published 2025-07-18
Affected: Vault Pro firmware v3.2.0 – v3.2.5.
Summary: Under a specific race condition during Bluetooth pairing, a pairing nonce could be reused if the host disconnected mid-handshake. An attacker with a Bluetooth presence and the ability to trigger the race could downgrade session entropy.
Impact: No key extraction. Signing still required physical confirmation; the finding affected transport-layer session uniqueness only.
Resolution: Firmware v3.2.6 rotates the pairing nonce on any transport interruption. Reported privately by Trail of Bits. Users prompted to update; v3.2.6+ installed on >99% of affected devices within 30 days.
CBA-2025-02
Address rendering truncation on very long Cosmos chains
Low · CVSS 3.4 Published 2025-03-02
Affected: Vault firmware v2.8.0 – v2.8.2; Vault Pro firmware v3.1.x.
Summary: For Cosmos-family bech32 addresses exceeding 64 characters, the display could truncate without a visible ellipsis. A user not reading carefully might not notice the truncation.
Impact: UI only. The signed payload always contained the full address; the risk was operator confusion, not cryptographic compromise.
Resolution: v2.8.3 / v3.1.9 render long addresses across two lines with a visible continuation marker. Disclosed in coordination with the reporter; acknowledged in release notes.
CBA-2024-11
Firmware signature metadata leak via USB descriptor
Informational · CVSS 2.1 Published 2024-11-28
Affected: All devices, firmware pre-dating v2.7.4 / v3.1.5.
Summary: The USB device descriptor exposed the exact patch version of the installed firmware to an un-paired host, enabling more precise fingerprinting of old units.
Impact: Informational only; no change to the cryptographic security of the device. Reduced to major/minor version on update.
Resolution: v2.7.4 / v3.1.5 report only major and minor firmware versions until the device is paired and attested. Reported by an independent researcher, disclosed with credit.
CBA-2024-06
Recovery-phrase screen glare on OLED panel batch
Low · CVSS 3.0 Published 2024-08-09
Affected: Vault units from a specific OLED panel batch manufactured Q1 2024.
Summary: A glare characteristic of the affected OLED batch made recovery words marginally readable at unusually shallow viewing angles under bright light.
Impact: Physical risk only; exploitable only if someone was in the room during setup.
Resolution: Panel batch replaced in all subsequent production. Affected customers contacted directly; free panel swap offered under warranty to anyone who requested it.
CBA-2024-02
SLIP-39 edge case in non-standard share counts
Low · CVSS 3.7 Published 2024-04-12
Affected: Vault Pro firmware v3.0.0 – v3.0.3.
Summary: When creating a Shamir backup with a non-default group count (a rarely-used advanced configuration), a metadata field was set one byte too short. The resulting shares were valid for recovery but could not be combined with shares generated by other SLIP-39 tooling.
Impact: Interoperability, not security. No risk of key exposure.
Resolution: v3.0.4 corrected the encoding. A migration tool was shipped for users who had previously generated non-default group-count shares.
Risk disclosure

Self-custody is a skill. Treat it like one.

A hardware wallet secures keys. It does not secure you from writing your seed phrase on the back of an envelope and losing it in a move. It does not prevent you from sending funds to the wrong address if you press confirm without reading. It does not undo a phishing site you typed your phrase into.

Cryptocurrency itself carries real financial risk: the assets you hold can lose significant value, chains can experience outages, protocols can fail. ChinaBridge does not offer trading, custody, investment advice, or recovery services for lost phrases. We sell the device and publish the documentation.

Before purchase, read our full risk disclosure. It is plain, specific, and honest.

Read full risk disclosure Support & setup FAQ