We love enthusiastic security research, and the community response we’ve had to our Trusted Firmware Bug Bounty Program has been great.
Lately, our triage team has been meeting a few too many AI-generated reports that are very difficult to triage. These reports often rely on flawed assumptions, internal-only functions or a lack of real security impact.
To help us focus on genuine, reproducible findings, all reports must now include an end-to-end proof of concept that:
- runs on a TF supported platform (TF-A, TF-M and OP-TEE only; emulated environments are fine)
- reproduces the issue on a correctly implemented system
- demonstrates a meaningful security impact (not just compliance or potential for hardening)
AI has been a game-changer for vulnerability discovery, but an LLM-generated report isn’t enough on its own. Please ensure you always validate and triage your findings before submitting them, and always check your PoC to make sure our team can follow the same path you did.
Thanks for helping us keep the signal high and the bugs real. Happy hunting!!






























