Target Policy

Structured Scope

• Asset Identifier

  Asset Type

  Max Severity

• portfolio.metamask.io

  ---

  The Portfolio dApp allows Metamask users to see an aggregated view across multiple different Metamask accounts. It also allows users to access popular on-chain primitives like Swaps, Bridging, Staking, and more.

  URL

  critical
• https://metamask.io

  URL

  none
• Chrome Flask Extension: https://chrome.google.com/webstore/detail/metamask-flask-developmen/ljfoeinjpaedjfecbmggjgodbgkmjkjk

  OTHER

  none
• MetaMask Message Signing Snap

  ---

  This Snap provides automatic message signing using a pseudo randomly generated snap private key

  **Supporting Documentation and source code:**

  - https://github.com/MetaMask/message-signing-snap

  OTHER

  critical
• *.api.cx.metamask.io

  ---

  APIs used by MetaMask wallet and Portfolio

  WILDCARD

  critical
• Chrome Extension: https://chrome.google.com/webstore/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn

  ---

  Supporting documentation
  - https://docs.metamask.io/guide/
  - https://github.com/MetaMask/metamask-extension

  You can create a new wallet with any password.
  In order to get test ETHER (on the network "ropsten")

  You can use the browser to go to: https://faucet.metamask.io

  And click "request 1 ETH from the faucet". A couple of minutes later you will have test ETH to make transactions.
  

  OTHER

  critical
• Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/ether-metamask/

  ---

  Supporting documentation
  - https://docs.metamask.io/guide/
  - https://github.com/MetaMask/metamask-extension

  You can create a new wallet with any password.
  In order to get test ETHER (on the network "ropsten")

  You can use the browser to go to: https://faucet.metamask.io

  And click "request 1 ETH from the faucet". A couple of minutes later you will have test ETH to make transactions.

  OTHER

  critical
• developer.metamask.io

  ---

  MetaMask Developer provides instant and scalable API access for web3 dapp developers.

  Bounty Tier: Core

  URL

  critical
• https://portfolio.metamask.io

  ---

  **PLEASE NOTE: All reports regarding this asset should be submitted to the ConsenSys program at https://hackerone.com/consensys. Reports will be subject to the rules and conditions listed there. **

  The Portfolio dApp allows Metamask users to see an aggregated view across multiple different Metamask accounts. It also allows users to access popular on-chain primitives like Swaps, Bridging, Staking, and more.

  URL

  medium
• Message signing snap

  ---

  This snap is pre-installed on MetaMask and can be tested via RPC calls.

  - **Main documentation**: https://github.com/MetaMask/message-signing-snap/blob/main/docs/testing.md
  - **Testing video tutorial**: https://www.loom.com/share/93ce2929c2584cf89af87d76f61be978

  OTHER

  critical
• MetaMask SDK

  ---

  The MetaMask SDK allows for third party developers to remotely connect with their user's MetaMask wallets after performing an authorization flow.

  OTHER

  critical
• https://metamask.github.io/phishing-warning/<vX.Y.Z>

  ---

  The phishing warning page is a security control that warns users when they attempt to visit a webpage found on one of our known phishing blocklists. Only vulnerabilities found on the latest version are eligible for a bounty.

  Supporting Documentation:
  * https://github.com/MetaMask/phishing-warning/releases
  * [Code usage in MetaMask extension](https://github.com/MetaMask/metamask-extension/blob/d96c2b8530ff0fe66ad8977641bc70cc0b58cc03/app/scripts/contentscript.js#L611-L624)
  

  OTHER

  critical
• MetaMask JavaScript SDK

  ---

  The MetaMask SDK allows for third party developers to remotely connect with their user's MetaMask wallets after performing an authorization flow.

  Javascript SDK Installation Guide:
  * https://c0f4f41c-2f55-4863-921b-sdk-docs.github.io/guide/metamask-sdk-js/

  Unity SDK Installation Guide:
  * https://c0f4f41c-2f55-4863-921b-sdk-docs.github.io/guide/metamask-sdk-unity.html

  Architecture documentation:
  * https://c0f4f41c-2f55-4863-921b-sdk-docs.github.io/guide/metamask-sdk-concepts.html#communication-layer
  

  OTHER

  critical
• Snaps

  ---

  Snaps is a feature that allows third party developers to add new functionality to MetaMask. A snap is a JavaScript program that runs in an isolated environment and customizes the wallet experience. Snaps have access to a limited set of capabilities, determined by the [permissions](https://docs.metamask.io/snaps/how-to/request-permissions/) the user granted them during installation.

  Visit our [quickstart guide](https://docs.metamask.io/snaps/get-started/quickstart/) to learn how to build your own snap, or visit [snaps.metamask.io](http://snaps.metamask.io) to see the possibilities that snaps now offer.

  Please note that for the duration of the open beta, custom made snaps can only be installed on experimental [MetaMask Flask](https://metamask.io/flask/). While that asset is out of scope, vulnerabilities concerning the snaps feature are eligible for submission if they affect the main extension as well.

  **Supporting Documentation:**

  - https://github.com/MetaMask/snaps/tree/main
  - https://docs.metamask.io/snaps/

  **Architecture Documentation**

  - https://github.com/MetaMask/snaps/tree/main/docs/internals

  **Packages included in this scope:**

  - [rpc-methods](https://github.com/MetaMask/snaps/tree/main/packages/rpc-methods)
  - [snaps-controllers](https://github.com/MetaMask/snaps/tree/main/packages/snaps-controllers)
  - [snaps-execution-environments](https://github.com/MetaMask/snaps/tree/main/packages/snaps-execution-environments)
  - [snaps-utils](https://github.com/MetaMask/snaps/tree/main/packages/snaps-utils)
  - [snaps-ui](https://github.com/MetaMask/snaps/tree/main/packages/snaps-ui)

  As snaps is a first party feature integrated into MetaMask, vulnerabilities will be scored relative to the impact demonstrated against the MetaMask Extension without a change in scope.

  OTHER

  critical
• Snaps Development Packages

  ---

  The Snaps development tools consist of a series of unrelated packages that can assist in the development of a snap. These tools are eligible for a bounty in cases where a victim can be impacted by exploiting one of the following tools (ex: achieving remote code execution by having a developer build your snap with snaps-cli).

  These tools are as follows:

  - [create-snap](https://github.com/MetaMask/snaps/tree/main/packages/create-snap)
  - [snaps-browserify-plugin](https://github.com/MetaMask/snaps/tree/main/packages/snaps-browserify-plugin)
  - [snaps-cli](https://github.com/MetaMask/snaps/tree/main/packages/snaps-cli)
  - [snaps-rollup-plugin](https://github.com/MetaMask/snaps/tree/main/packages/snaps-rollup-plugin)
  - [snaps-simulator](https://github.com/MetaMask/snaps/tree/main/packages/snaps-simulator)
  - [snaps-webpack-plugins](https://github.com/MetaMask/snaps/tree/main/packages/snaps-webpack-plugins)

  SOURCE_CODE

  medium
• https://*.metamask.io

  ---

  **Please ensure you are not reporting a subdomain that is explicitly listed as being out of scope.**

  Bounty eligibility is determined based on the impact that can be demonstrated by exploiting the affected asset.

  WILDCARD

  critical
• signature-insights.api.cx.metamask.io

  ---

  The Signature Insights API receives off-chain signature requests (eth_signTypedData_v3, eth_signTypedData_v4, etc.) from MetaMask Extension & Mobile and decodes them into state changes to be rendered into human readable balance changes. These balance changes are shown in the confirmations windows when a user is signing an off-chain signature request for popular dapps such as OpenSea, Uniswap, and others.

  API docs: https://metamask-consensys.notion.site/Public-MetaMask-Signature-Insights-API-Documentation-189f86d67d688047851fed6656a3199a

  URL

  critical
• https://www.npmjs.com/search?q=%40metamask

  ---

  Vulnerabilities within npm packages in the @metamask namespace that do not pose a risk to MetaMask users

  OTHER

  none
• Authentication component

  ---

  The Authentication component is used to provide MetaMask users services that require to be logged in and/or identified.
  It is comprised of an Authentication API at: https://authentication.api.cx.metamask.io/ and an ORY Hydra OAuth server at: https://oidc.api.cx.metamask.io.

  Documentation can be found in this [Doc]( https://docs.google.com/document/u/1/d/e/2PACX-1vRzlbxKTKQ4x8mvUEUs8hv-fcGsi0W717Pbg2_Rk3lcoM5PuSCI66JUWaWdL_Vz0GNMbZU4aYaC2rcQ/pub)

  OTHER

  critical
• snaps.metamask.io

  ---

  This is a directory that lists featured snaps available for installation on MetaMask.

  **Supporting Documentation**

  - https://github.com/MetaMask/snaps-directory

  URL

  critical
• https://user-storage.api.cx.metamask.io

  ---

  The User Storage API helps developers synchronize data across multiple clients and devices in a privacy-preserving way. All data saved in the user storage database is encrypted client-side to preserve privacy.
  Documentation can be found in this [Doc](https://docs.google.com/document/u/1/d/e/2PACX-1vRzlbxKTKQ4x8mvUEUs8hv-fcGsi0W717Pbg2_Rk3lcoM5PuSCI66JUWaWdL_Vz0GNMbZU4aYaC2rcQ/pub)

  URL

  critical
• io.metamask.Metamask

  ---

  [MetaMask](https://metamask.io/download) is everything you need to manage your identity, digital assets and to explore web3. Available as a mobile application on iOS and Android.

  APPLE_STORE_APP_ID

  critical
• metamask.io

  ---

  The root https://metamask.io webpage and the metamask.io DNS configuration.

  URL

  critical
• MetaMask Browser Extension

  ---

  [MetaMask](https://metamask.io/download) is everything you need to manage your identity, digital assets and to explore web3. Available as an extension on chromium-based and firefox browsers.

  OTHER

  critical
• io.metamask

  ---

  [MetaMask](https://metamask.io/download) is everything you need to manage your identity, digital assets and to explore web3. Available as a mobile application on iOS and Android.

  GOOGLE_PLAY_APP_ID

  critical

Target Scope Domains

• api.cx.metamask.io
• developer.metamask.io
• metamask.io
• portfolio.metamask.io
• signature-insights.api.cx.metamask.io
• snaps.metamask.io
• user-storage.api.cx.metamask.io

• 100 Subdomains
• 670 Endpoints
• Download wordlist

Last Finished Scan: