Skip to main content

Security

Reporting a Vulnerability

Please do not open a public GitHub Issue to report the vulnerability.

Instead, please email security@metaplex.com.

You should receive a response within 24-48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

  • Type of issue (e.g. buffer overflow, missing ownership check, cross-site scripting, etc.)
  • Full paths of source file(s) related to the manifestation of the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

You may also be eligible for a bounty. More details can be found here.

Audits

Ongoing automated and manual security audits are routinely performed by our audit partner Sec3. Automated audits are performed for every PR and security issues must be resolved before merging into the main branch. Manual ongoing audits are initiated for changes above a specific threshold and security issues must be resolved before merging into the main branch.

Large one-off audits are also performed when there are large changes to the code or functionality as detailed below.

ProtocolLast major one-off audit date
Token Metadata2022-07-31
Auction House2022-06-26
Gumdrop2022-05-16
Candy Machine*2021-02-01

(*) Independent 3rd party audit