MyEtherWallet (MEW) looks forward to working with the security community to identify vulnerabilities in order to keep our users and MEW safe.
MyEtherWallet is passionate about providing a seamless and secure experience to our community. We are devoted to protecting our users private information and providing them an opportunity to interact with the Ethereum blockchain in the safest manner possible. Security is our first priority and obligation and we always appreciate the valuable contributions from HackerOne community members! If you have any information regarding vulnerabilities on the MyEtherWallet website or MEWconnect IOS Mobile App we want to hear from from you!
Any vulnerabilities submitted under this policy will be used for the purposes of improving MyEtherWallet security as well as the user experience. We aim to establish a positive feedback between MEW and researchers that will contribute to this program - we appreciate your patience as we strive to perfect this process.
This program is aimed in finding security vulnerabilities in:
Please review, understand, and agree to the following terms and conditions before conducting any testing for MEW and before submitting a report.
MyEtherWallet will make a best effort to meet the following SLAs for hackers participating in our program:
We take every report seriously and very much appreciate the efforts of researchers, that contribute to this program. Please be patient as we’ll try to keep you informed about our progress throughout the process.
Please do not publicly disclose any vulnerabilities which have not been remediated
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
In general, any bug that can lead to loss of finances or leak of users’ personal data.
These includes bugs with sufficient severity and not limited to:
MEWconnect Mobile IOS App:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
MEWconnect Mobile IOS App:
- In rare cases, P2P connection is not established between the app and the browser.
- Can not establish connection on Safari.
Thank you for your interest in our program!
Contact us if you want more information.