Bug Bounties

MetaMask

Powered by: 

Allows bounty splitting: 

Average time to first program response: 12

Average time to bounty awarded null: 105

Average time to report resolved: 1764

Handle metamask

Managed program: true

Name: MetaMask

Offers bounties: true

Offers swag: false

Response efficiency percentage: 94

Submission state: open

Url: https://hackerone.com/metamask

Website: https://metamask.io/

In scope:

  • Asset identifier: MetaMask Browser Extension
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Chrome Installation Link: https://chrome.google.com/webstore/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn Firefox Installation Link: https://addons.mozilla.org/en-US/firefox/addon/ether-metamask/ Supporting Documentation - https://docs.metamask.io/guide/ - https://github.com/MetaMask/metamask-extension
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: MetaMask JavaScript SDK
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: The MetaMask SDK allows for third party developers to remotely connect with their user's MetaMask wallets after performing an authorization flow. Javascript SDK Installation Guide: * https://c0f4f41c-2f55-4863-921b-sdk-docs.github.io/guide/metamask-sdk-js/ Unity SDK Installation Guide: * https://c0f4f41c-2f55-4863-921b-sdk-docs.github.io/guide/metamask-sdk-unity.html Architecture documentation: * https://c0f4f41c-2f55-4863-921b-sdk-docs.github.io/guide/metamask-sdk-concepts.html#communication-layer
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://portfolio.metamask.io
  • Asset type: URL
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: **PLEASE NOTE: All reports regarding this asset should be submitted to the ConsenSys program at https://hackerone.com/consensys. Reports will be subject to the rules and conditions listed there. ** The Portfolio dApp allows Metamask users to see an aggregated view across multiple different Metamask accounts. It also allows users to access popular on-chain primitives like Swaps, Bridging, Staking, and more.
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: io.metamask
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Installation Link: https://metamask.io/download/ Supporting documentation - https://docs.metamask.io/guide/ - https://github.com/MetaMask/metamask-mobile
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: io.metamask.Metamask
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Installation Link: https://metamask.io/download/ Supporting Documentation - https://docs.metamask.io/guide/ - https://github.com/MetaMask/metamask-mobile
  • Integrity requirements: 
  • Max severity: critical