Hardware wallet manufacturer Ledger has published a firmware update to remedy several security flaws. The exploits were independently found by a trio of white hat security researchers, one of whom, Saleem Rashid, is a 15-year-old British boy. The attack vector he discovered is hardware based, and is not limited to Ledger devices, making it difficult to mitigate altogether via software alone.
White Hat Hacker Forgoes His Bounty
Ledger says the security researchers were asked to sign a Bounty Program Reward Agreement as one of the conditions of being remunerated for their efforts, while noting that this doesn’t prevent the researchers from publishing their own reports. The article is worded in such a way as to suggest all three researchers were happy to comply with this agreement, but that’s not entirely true. Rashid actually forwent his bounty reward, explaining:
I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report. I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers
Congratulations @chandansharma! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP