Here at MetaMask, security is at the core of our development. As part of our ongoing efforts to make our users as safe as possible, we’re excited to partner with HackerOne—a leader in Attack Resistance Management (ARM)—for our security bounty program. 

HackerOne blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This gives ethical hackers the opportunity to disclose wallet vulnerabilities to our team and get rewarded for their efforts. 

The program also follows our recent partnership with Asset Reality to help MetaMask scam victims recover stolen assets

We are aware of the numerous scamming and phishing attempts that take place in Web3, and this is one of many recent improvements our team has made to combat the nefarious activities that continue to plague the industry.

How It Works

If you believe you’ve identified a potential security vulnerability in our products or services, please follow these steps:

  1. Create a HackerOne account 

  2. Submit a report through the platform. The report should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept.

  3. Be patient with the process while we carefully address the issue and don’t disclose it publicly as this is a private program. Learn more about vulnerability disclosures here

We will do our best to address all vulnerabilities as soon as possible and coordinate the disclosure of the finding with the researcher.

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard).

Bounty reward tiers. Please note these are general guidelines, and reward decisions are up to the discretion of MetaMask.

Thank you for making MetaMask safer. And as a reminder, please do not file a public issue or discuss the vulnerability in public places like Discord, Slack, Twitter, etc. until our team confirms it is safe to do so. 

Making Web3 Safer For All

Efforts like HackerOne’s bounty program, VillageDAO’s decentralized customer care approach, and Dan Finlay’s phisher eliminating dapp MobyMask empower the community to band together. 

If you’ve identified a potential security vulnerability, let us know. Don’t let the scammers win! 

Web3 belongs to everyone, and it takes us all chipping in to make it safer.