Community

Security

Reporting a Vulnerability

Please do not open a public GitHub Issue to report the vulnerability.

Instead, please email security@metaplex.foundation.

You should receive a response within 24-48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

  • Type of issue (e.g. buffer overflow, missing ownership check, cross-site scripting, etc.)
  • Full paths of source file(s) related to the manifestation of the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

You may also be eligible for a bounty. More details can be found here.

Audits

Ongoing automated and manual security audits are routinely performed by our audit partners Sec3 and MadShield. Automated audits are performed for every PR and security issues must be resolved before merging into the main branch. Manual ongoing audits are initiated for changes above a specific threshold and security issues must be resolved before merging into the main branch.

Large one-off audits are also performed when there are large changes to the code or functionality as detailed below.

ProtocolLast major one-off audit date
Core2024-05-06
Token Metadata2024-03-14
Inscriptions2024-01-16
Bubblegum/Compression2023-11-29
Trifle/Fusion2023-04-13
Candy Machine V32022-11-01
Candy Machine V22022-11-01
Auction House2022-10-24
Gumdrop2022-05-16

We do not have ongoing automated nor manual security audits that are routinely performed by our audit partners for our developer tools. However, audits may be ordered, facilitated, and paid for by our community of 3rd party Solana ecosystem developers or entities of thier own accord.

Developer ToolsLast audit date
Sugar CLI*2022-08-26

(*) Audited by OtterSec

Previous
Community Guides