MyEtherWallet (MEW) looks forward to working with the security community to identify vulnerabilities in order to keep our users and MEW safe.
MyEtherWallet is passionate about providing a seamless and secure experience to our community. We are devoted to protecting our users private information and providing them an opportunity to interact with the Ethereum blockchain in the safest manner possible. Security is our first priority and obligation and we always appreciate the valuable contributions from HackerOne community members! If you have any information regarding vulnerabilities on the MyEtherWallet V5 website (aka MEW V5) , MEW CX , and MEWconnect iOS/ Android we want to hear from from you!
Any vulnerabilities submitted under this policy will be used for the purposes of improving MyEtherWallet security as well as the user experience. We aim to establish a positive feedback between MEW and researchers that will contribute to this program - we appreciate your patience as we strive to perfect this process.
This program is aimed in finding security vulnerabilities in:
Please review, understand, and agree to the following terms and conditions before conducting any testing for MEW and before submitting a report.
Thank you.
MyEtherWallet will make a best effort to meet the following SLAs for hackers participating in our program:
We take every report seriously and very much appreciate the efforts of researchers, that contribute to this program. Please be patient as we’ll try to keep you informed about our progress throughout the process.
Please do not publicly disclose any vulnerabilities which have not been remediated
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
In general, any bug that can lead to loss of finances or leak of users’ personal data.
These includes bugs with sufficient severity and not limited to:
MEW V5 - MyEtherWallet website and MEW CX:
MEWconnect iOS and Android App:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
MEWconnect iOS and Android App:
Please visit our Github page: https://github.com/MyEtherWallet/ __
Thank you for your interest in our program!
Scope Type | Scope Name |
---|---|
android_application | app.android.mewconnect |
android_application | https://play.google.com/store/apps/details?id=com.myetherwallet.mewconnect __ |
ios_application | app.ios.mewconnect |
ios_application |
|
other |
|
other |
|
other |
|
other |
|
other |
|
web_application | www.myetherwallet.com |
web_application |
|
web_application | app.testflight.mewconnect |
web_application | |
web_application |
|
web_application | app.android.hockey-app.mewconnect |
web_application | |
web_application | https://github.com/MyEtherWallet/MEWconnect-Android/tree/master __ |
web_application | |
web_application | https://github.com/MyEtherWallet/MEWconnect-iOS/tree/master __ |
web_application | |
web_application | |
web_application | https://chrome.google.com/webstore/detail/mew- cx/nlbmnnijcnlegkjjpcfjclmcfggfefdm?hl=en __ |
The public program MyEtherWallet on the platform Hackerone has been updated on 2019-08-22, The lowest reward is 50 $.
FireBounty © 2015-2019