Security Audits

Building the most secure wallet in the ecosystem while keeping users in control

Security Audits

Security is at the core of our development. Our libraries have been audited by security experts and independent researchers. Reports are public:
  • Diligence - October 2024 - Report
  • Diligence - August 2024 - Report
  • Diligence - June 2024 - Report
  • Cure53 - March 2024 - Report
  • Least Authority - September 2023 - Report
  • Least Authority - September 2023 - Report
  • Cure53 - February 2023 - Report
  • Least Authority - March 2020 - Report
  • Least Authority - April 2019 - Report
  • Cure53 - August 2017 - Report

MetaMask Bug Bounty

We work with an active community of security researchers through our Bug Bounty Program to continually improve the security of MetaMask.
Your participation in this Bug Bounty Program is voluntary and subject to the terms and conditions set forth below. By reporting a vulnerability to MetaMask, and thereby ConsenSys, you acknowledge that you have read and agreed to fully comply with the rules disclosed in this program.

Reporting a vulnerability

If you believe you’ve identified a potential security vulnerability in our products or services, please report it to us using one of the following options. Please do not file a public issue or discuss the vulnerability in public places like Discord, Slack, Twitter, etc.
Reporting options, if you think you found a vulnerability:
  • Submit a report through the HackerOne platform https://hackerone.com/metamask
  • If you cannot use HackerOne, we appreciate direct reports sent to [email protected]. If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the OpenPGP key for encryption at the bottom of this page.
  • Blockchain Security specialists and members of our DeFi Community wanting access to our authenticated test environment can request access to our ConsenSys programs https://hackerone.com/consensys.
We will make the best effort to address all vulnerabilities as soon as possible and coordinate the disclosure of the finding with the researcher. All other non-security related bugs in the codebase should be filed as an issue on GitHub.

Policy for responsibly disclosing vulnerabilities to the public

Our responsible disclosure policy employs a process where vulnerabilities are first triaged and addressed in a private manner, and only publicly disclosed after a reasonable time period. This allows the vulnerability to be patched and an upgrade path for users. The responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities prior to a patch being released.
Please refrain from malicious acts that put our users, the project, or any of the project's team members at risk.
Please do not disclose your findings outside this Program until we have had the opportunity to review and address them with you.
Follow HackerOne’s disclosure guidelines.

Open PGP key

-----BEGIN PGP PUBLIC KEY BLOCK----mQINBGIm1ZABEACpbTPkgC3vtCdt5viZS1dq0J44RZm4QEXJW3yjUJNwZrRS7xv4 39KFiYDWHM6aNLkq3bcrT+grnhxXKTRGvemciT/EhIfGWQ+SJw5SKCvNN4vdfAEw AWE2QuX4IB7Sui1xCedmxDLURQNeEYl9frKbgaMcpF4PqQaeAoJUDITFvTabR+xZ 0VyPdb5qXfInGxII5hgW+RB3ej19w4ViXKTMIe0H1C6PlHNki+x6l62hpPtDlX0Z r5cEIOpuB6e4RtN/vStM8nD/vNILdrVkKtP1zAGecm2NPxYHjcL/SsjKsOC0/4g5 RSMXta3+3MGYqKM5ZRawfcM00x8q0VcZBQ+uezUczksaF4dUg4WiDEqWWoRp1jBS AuYEp0dGZYL8W4ehuf8eP7PKUNRG7dludeSa5+7o+0H2YR9v5WlSxlmS7jsc+hSp D0HuLfmZE3rQmOR1JL56bIIysoL4afFoy4one1WE9l7m/UQ3SZ2KpvNVObrpbtMF /ynZbMtC8TKdTq2ss9n4QJlz6QyDVU++U6CElKHdbyvRGCfX7Za8J/hnG4p4yheO K8ecpj/hdxBjPEaamvAOD5km8L/1Hj6hTGdtfwTgoiDLRmhR1I1uwAJcJJ1WQwoq +hWnLA4j9QxwZg5aizf2zEdvXFS39Dm70Gw2ENI4uAyzUA7HyP/sBFzHWQARAQAB tCdDb25zZW5TeXMgU2VjT3BzIDxTZWNPcHNAY29uc2Vuc3lzLm5ldD6JAlgEEwEI AEIWIQQnr8bL8lMhOMVz4HHVNepxZ/871gUCYibVkAIbAwUJA8ObkAULCQgHAgMi AgEGFQoJCAsCBBYCAwECHgcCF4AACgkQ1TXqcWf/O9ZDDg//b28MhJUM1yZTI53n zHge0dV8dnmkjPoCRD1ZwCZ1j869dlHsmZDOR4caqJwXlL8kXQwhPig+ZqVMIuNV Y+ax7jM4Lj8IrO7U4X6cr0iKOq3+aEJyIbUBJvz49CeynHeUj8iprSGYd+2WH2Yv lkrp2lDLXtTO94WlCDog0nsywp16IRwQ42AnBeM1BiNZnuqCtqrdy5LnIwOMAcjX ZVxKdU7iLbs2nYNPfEXp7PWdMQOqb1SOh+sYYoYoy+Z2Lbe51omtABjitSz9uVO3 W6pPp/UqmUhd044xKdKQAOlyzr7hg9Rsf8yRItrRXkg4ACl3OycXiV2MU68/LUSW 3I3w7AFNYdwBuwgJuhp1oCewWMispEfZGymlWvilz+bAOwXm8op5UOqk9mQqgitr 109B4XxxuUeFMZmlTn/g0NGhS75Iks8m9XTCGGX8WnrldNV0WPNL3m5+llNjvcZl DHbe+DXlak82Lzq7Ok7iozStCe18HKnxqzCFjBFuUhSIgDLXKlBVbjY8cOVlsZOG +4peTIQxZiYO9CxQ3PmDEfkkrIkaHcm/dZsZomI7TzxU4fgWhwRyYVTKYIy6km+j dnNXy628YPHdoyRIVo8LfUlC3v4ofn4GLpM2K6PfahTue7u2N9UgLjmNrF/3bleN PxZENYK7ZXOwSx9teFl6zQjgIau5Ag0EYibVkAEQANCRs+MK2vTPVHHBnYUORzZm 6iaHUEs8u0KyHLutrWcl88ebVDDz5QxJJk4QI1zAAwacw4BKtkbo1MY3rhRtIxSz qguFrrzvBDiwQtuJb3UJss7r1wdzfdCphyuCtN8N0QM51JDOEo2ey+BBivl5fuSk Dfqpkq1x1nzBOBCZ9btd6vLLnQ1DtKy0XUVkTlx7ruvODDy4NPTQ4LN6g1Mo4XJu TBua+4zZcSGOzF4KPnQqNxQxNQwnBtOHkFx3D2hByUoLxfwtUCocashquVbVQEXC GW9IQh1QLAvjVr7h5ZR+eiChK+rYSomdLnaAtBh4rco/RNtRiDq5ruaIthplVKGa BvNYh4Com9TKgfL99abiVmW9US+Ex3pGQ8yHsxrbDEs7SHggMfPYxi7WOidP3nQp 1kphqbaJ02zqk1REH/LRpiujD7EII7kOU5L/FXuGilv6HWro5s4t68JIcOfix3G6 ggi9EswXrV1FV8XZ4AzjNUwMmh3UKl1h5bmESdDZ0KcUPnd8iRHTQy8qrKhvxnU6 xr5RiITs+dZ+Bvs681Tp7JnMf1dUqgRxTZcKbav7ZSGmsPsMeQECMtA8A6AJbysC /dYvQmA9PWHlWlTDLTMJ+8asVxmbYcIbpARWqC7pPBeJuTFJjQYv3BtMhRNBjrdE reXOfXIX6AVvjpvUqa1BABEBAAGJAjwEGAEIACYWIQQnr8bL8lMhOMVz4HHVNepx Z/871gUCYibVkAIbDAUJA8ObkAAKCRDVNepxZ/871qpvD/94YBe42DpUsYRboZ/M kZFDHbofR/0HCMLPyRsGRuvEtZ7oIpJmfrNyK9n2fGRnJWy/Eck8b4q4OvqtZxP6 cSf6YlZmn5gdW0fPrjU3Ia1gj4mZsPtwqYzsbMwhYKRFqG9uaM8vYUJbFPJ95XmE UYmkDAIb7dXvNPrAKKdyerqbeRxmiwPD+5DVBzZCCRKSaEXi1I4mY8l3yVcl2GeY 3i5Gl0mg9GN4NYvdZtwVjIxVDmuBi0yXOs5XOonaH3pUhuHYteXpTkR8fWJOF51I ppGnkkOXf3b6NIAUrIbKb8XLbzVDF4nywIuHtsV20LHkCmlWuzx9Y2CzYt/9y8dv C2xmBxMBt+eGkTbsSnQqEtIkR4vgogYGkfFVqzAw90iZnC3vyHdw7WWjqTv6Yb5x mrcuhaYqAq9ovEaWZED0x7EZqFG0ix7thLwZEWSYwaX/AdQwOb4RYZ+Q9yf21WAU vTG2AIGtxDTaHBtf/w0KMKCu3kzMJxVmyB4LnRe69QAoZhdAgcHPY/n+SB9k9dY7 r/tnJu4iKmlatW7uHgNalrQseeKz4Rwb8sZvFqA5VYHuICbC9ViJU6iB0iAUuUn8 JeZpt2go+C53heb6wywBMGt6gjETYYJXaV1RXq5l3bJ//+vfg8mMB3j/6HBa8NkI wDzGGMuReGLUCLcXCQBobi2zCQ===emGk -----END PGP PUBLIC KEY BLOCK-----