Security Audits
Building the most secure wallet in the ecosystem while keeping users in control
Security Audits
Security is at the core of our development. Our libraries have been audited by security experts and independent researchers. Reports are public:Diligence - August 2025 - mUSD contract report
Additional mUSD M^Zero Labs contract audits: ChainSecurity, Guardian
OtterSec - October 2024 - LavaMoat Webpack Plugin report
Diligence - October 2024 - Delegation Framework report
Diligence - August 2024 - Delegation Framework report
Diligence - June 2024 - Delegator report
Cure53 - April 2024 - Key-Tree Interface report
Cure53 - March 2024 - Signing Snap & Codebase report
Least Authority - September 2023 - Snaps report
Least Authority - September 2023 - Snaps Extension Integration report
Cure53 - February 2023 - Key-Tree Interface report
Least Authority 2022 - Seed Phrase Implementation report
Least Authority - March 2020 - LavaMoat Plugin report
Least Authority - November 2019 - Permissions System + CapNode report
Least Authority - April 2019 - Mobile App report
Cure53 - August 2017 - MetaMask Pentest report
MetaMask Bug Bounty
We work with an active community of security researchers through our Bug Bounty Program to continually improve the security of MetaMask.Your participation in this Bug Bounty Program is voluntary and subject to the terms and conditions set forth below. By reporting a vulnerability to MetaMask, and thereby Consensys, you acknowledge that you have read and agreed to fully comply with the rules disclosed in this program.Reporting a vulnerability
If you believe you’ve identified a potential security vulnerability in our products or services, please report it to us using one of the following options. Please do not file a public issue or discuss the vulnerability in public places like Discord, Slack, Twitter, etc.Reporting options, if you think you found a vulnerability:Submit a report through the HackerOne platform https://hackerone.com/metamask
If you cannot use HackerOne, we appreciate direct reports sent to [email protected]. If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the OpenPGP key for encryption at the bottom of this page.
Blockchain Security specialists and members of our DeFi Community wanting access to our authenticated test environment can request access to our Consensys programs https://hackerone.com/consensys.
We will make the best effort to address all vulnerabilities as soon as possible and coordinate the disclosure of the finding with the researcher. All other non-security related bugs in the codebase should be filed as an issue on GitHub.
Policy for responsibly disclosing vulnerabilities to the public
Our responsible disclosure policy employs a process where vulnerabilities are first triaged and addressed in a private manner, and only publicly disclosed after a reasonable time period. This allows the vulnerability to be patched and an upgrade path for users. The responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities prior to a patch being released.Please refrain from malicious acts that put our users, the project, or any of the project's team members at risk.Please do not disclose your findings outside this Program until we have had the opportunity to review and address them with you.Follow HackerOne’s disclosure guidelines.