We work with an active community of security researchers through our Bug Bounty Program to continually improve the security of MetaMask.
Your participation in this Bug Bounty Program is voluntary and subject to the terms and conditions set forth below. By reporting a vulnerability to MetaMask, and thereby ConsenSys, you acknowledge that you have read and agreed to fully comply with the rules disclosed in this program.
Reporting a vulnerability
If you believe you’ve identified a potential security vulnerability in our products or services, please report it to us using one of the following options. Please do not file a public issue or discuss the vulnerability in public places like Discord, Slack, Twitter, etc.
Reporting options, if you think you found a vulnerability:
If you cannot use HackerOne, we appreciate direct reports sent to [email protected]. If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the OpenPGP key for encryption at the bottom of this page.
Blockchain Security specialists and members of our DeFi Community wanting access to our authenticated test environment can request access to our ConsenSys programs https://hackerone.com/consensys.
We will make the best effort to address all vulnerabilities as soon as possible and coordinate the disclosure of the finding with the researcher. All other non-security related bugs in the codebase should be filed as an issue on GitHub.
Policy for responsibly disclosing vulnerabilities to the public
Our responsible disclosure policy employs a process where vulnerabilities are first triaged and addressed in a private manner, and only publicly disclosed after a reasonable time period. This allows the vulnerability to be patched and an upgrade path for users. The responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities prior to a patch being released.
Please refrain from malicious acts that put our users, the project, or any of the project's team members at risk.
Please do not disclose your findings outside this Program until we have had the opportunity to review and address them with you.