Program Overview:

MyEtherWallet (MEW) looks forward to working with the security community to identify vulnerabilities in order to keep our users and MEW safe.

MyEtherWallet is passionate about providing a seamless and secure experience to our community. We are devoted to protecting our users private information and providing them an opportunity to interact with the Ethereum blockchain in the safest manner possible. Security is our first priority and obligation and we always appreciate the valuable contributions from HackerOne community members! If you have any information regarding vulnerabilities on the MyEtherWallet website or MEWconnect IOS Mobile App we want to hear from from you!

Any vulnerabilities submitted under this policy will be used for the purposes of improving MyEtherWallet security as well as the user experience. We aim to establish a positive feedback between MEW and researchers that will contribute to this program - we appreciate your patience as we strive to perfect this process.

This program is aimed in finding security vulnerabilities in:

• MEWconnect IOS Mobile App
• Current live version of myetherwallet.com

Please review, understand, and agree to the following terms and conditions before conducting any testing for MEW and before submitting a report.

Thank you.

SLA

MyEtherWallet will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 2 business days
• Time to triage (from report submit) - 2 business days
• Time to bounty (from triage) - 5 business days

We take every report seriously and very much appreciate the efforts of researchers, that contribute to this program. Please be patient as we’ll try to keep you informed about our progress throughout the process.

Disclosure Policy:

Please do not publicly disclose any vulnerabilities which have not been remediated

Program Rules:

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

In Scope Vulnerabilities:

In general, any bug that can lead to loss of finances or leak of users’ personal data.

These includes bugs with sufficient severity and not limited to:

MyEtherWallet Website:

• Clickjacking
• XSS
• Remote code execution
• CSRF
• Authentication bypass or privilege escalation
• Accessing users private keys and personal data

MEWconnect Mobile IOS App:

• Injection, Manipulation of account balance
• Authentication bypasses, Loss of privileged information (passwords, private keys, etc.)
• Unauthorised Transaction signing
• Unauthorised P2P connection
• Modification of request received by the Mobile application on www.myetherwallet.com __

Out of scope vulnerabilities:

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive information.
• Self-XSS
• Logout CSRF
• Lack of password length restrictions
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
• DNS vulnerabilities
• Denial of service
• Spamming
• Vulnerabilities in third party applications which make use of the MEW’s API
• Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)
• Reports from automated tools or scans (without accompanying demonstration of exploitability)
• Text-only injection in error pages
• Any other service not directly hosted or controlled by MyEtherWallet.com. MEW will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.
• WebRTC protocol and implementation.
• Socket.io protocol
• Express server for MEWconnect

MEWconnect Mobile IOS App:

• Software bugs that have no security impact.
• Public User data, such as, public address, balances, transaction information etc. stored unencrypted on external storage and private directory.
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• Require physical connection to the device with developer-level debugging tool.
• Result in an application-level crash, or simply mention the possibility of MITM without an exploit.
• Reports based on information taken or obtained through illegal access and confidential information
• Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the app.
• Known Bugs

Known Bugs (currently investigated by MyEtherWallet team):

MEWconnect:
- In rare cases, P2P connection is not established between the app and the browser.
- Can not establish connection on Safari.

Thank you for your interest in our program!