COLDCARD SECURITY
Check the code, firmware, and device.
COLDCARD publishes the material needed to inspect important software and device-security claims. Verification does not mean assuming that open source, an air gap, or a green light solves every threat. It means checking the specific control before you depend on it.
Start with four checks
Read the firmware source
The Q and Mk-series firmware source is published for review. Inspect the implementation, release tags, build instructions, and changes instead of relying only on a product description.
Verify a firmware download
The Downloads page publishes current firmware files. The upgrade guide explains how to compare the SHA-256 hash and verify the signed signatures.txt file before loading firmware.
Check the device before entering a PIN
At boot, the secure element checks the flash contents against its recorded checksum before lighting GENUINE (green) or CAUTION (red). If the CAUTION light remains red, do not enter your PIN. Stop and investigate.
Disclose a vulnerability privately
Coinkite accepts reports at [email protected], coordinates PGP-encrypted follow-up, and may pay a Bitcoin bounty for a qualifying report with a working proof of concept.
What each check proves
Published source makes review possible. It lets researchers inspect the firmware and lets advanced users reproduce a release build. Public code does not prove that the code has no bugs or that every hardware claim is correct.
A reproducible build compares source with a binary. A matching result supports the claim that the released firmware corresponds to the tagged source and documented toolchain. It does not prove that the source is free of vulnerabilities.
A signature identifies approved firmware. COLDCARD checks that firmware was signed by an approved Coinkite key. A valid signature does not make every signed release safe forever, so check the current version and release notes before upgrading.
The GENUINE/CAUTION status is a boot-time flash check. It helps detect an unexpected change before PIN entry. It does not replace inspection of the numbered tamper-evident bag, the clear case, your anti-phishing words, or the transaction details on screen.
Verify the whole signing workflow
Security is not one chip or one badge. Before placing a meaningful amount of bitcoin in a new wallet:
- Buy from Coinkite or an authorized reseller and inspect the numbered tamper-evident bag.
- Confirm the bag numbers, tear-off tab, and bag number shown by the device agree.
- Wait for the GENUINE status before entering the PIN.
- Record and verify the anti-phishing words produced by the PIN prefix.
- Back up the seed, pass the on-device quiz, and keep the backup away from cameras and networked devices.
- Export a watch-only wallet and verify a receive address on the COLDCARD screen.
- Receive a small test amount, sign one Partially Signed Bitcoin Transaction (PSBT), and verify destination, amount, fee, and change on the device.
- Test the documented recovery path before relying on the wallet for a larger balance.
Start with the first-session checklist
Know the limits
QR and MicroSD signing remove a live data connection between the signer and an internet-connected coordinator. The COLDCARD still parses transaction data carried across that gap. Review the payment details on its screen before signing.
Dual secure elements reduce dependence on a single chip vendor. They do not protect a seed phrase that was photographed, typed into a phone, or stored with its passphrase.
Bitcoin-only firmware reduces protocol scope. It does not mean the remaining code cannot contain a defect.
A clear case and numbered tamper-evident bag make physical inspection easier. They do not replace buying from a known source or checking the device at first use.
Security links
Firmware verification
Check the release hash and PGP signature before an upgrade.
Physical security notes
Review signed boot, GENUINE/CAUTION status, and physical checks.
Found a security issue?
Keep the report private, preserve user data, and send a reproducible proof of concept to Coinkite's security contact.
Sources and verification
Verified on July 17, 2026.