Arm launches a bug bounty program for Trusted Firmware to strengthen firmware and security foundations

Building on the success of the Arm Bug Bounty Program, Arm Product Security is pleased to announce a new bug bounty program for Trusted Firmware. This bug bounty program initially covers four open-source projects that provide core security foundations across many Arm-based systems.

The program rewards high-quality vulnerability reports in security-critical projects. This approach strengthens Arm’s commitment to advancing product security through open collaboration with the security research community.

The following projects are included in the program:

• TrustedFirmware-A (TF-A)
  • A reference implementation for secure boot and runtime firmware on Armv8-A and Armv9-A platforms.
• TrustedFirmware-M (TF-M)
  • Provides a PSA-compliant secure processing environment for Arm Cortex-M systems. It supports secure boot, attestation and trusted services.
• OP-TEE
  • An open-source Trusted Execution Environment for Armv8-A that enables isolated execution of trusted applications.
• Mbed TLS and TF-PSA-Crypto
  • Provides cryptography support for embedded and connected systems. Mbed TLS is a C library that implements X.509 certificate handling and the TLS and DTLS protocols. It has a small code footprint that is suitable for embedded systems. The TF-PSA-Crypto repository provides an implementation of the PSA Cryptography API.

These open-source reference implementations and security libraries are widely integrated by silicon vendors, OEMs and developers. They sit at the root of trust for many Arm-based devices. Improving their security directly strengthens the resilience of the global Arm ecosystem.

Security researchers who identify vulnerabilities in the four in-scope projects can report them to the Bug Bounty Program for Trusted Firmware page on the Intigriti platform.

Arm’s Product Security Incident Response Team (PSIRT) and the Trusted Firmware security team evaluate all reports. Issues that meet the reward criteria are eligible for financial rewards based on severity and impact.

Get started

Arm invites researchers to explore a broad range of security areas. These areas include secure boot flows, isolation boundaries, trusted application execution, cryptographic handling and protocol robustness.

Full details, including participation guidelines, in-scope components, reward tiers and the submission form, are available at the Intigriti program page.

We look forward to working with the research community to continue to improve the security of the Arm-based platforms that power the world’s devices.

Trusted Firmware Bug Bounty Program