Development resources at your finger tips
Build with the coolest Web3 projects
Recurring funding for Open Source
Learn about Web3 & earn rewards
Show appreciation for each other
Meet fellow developers, designers, futurists and more. Collaborate and BUIDL awesome projects together.
Discover great web3 organizations, work on meaningful projects and build relationships with like minded people. Browse Tribes
Meet the top hunters and contributors from our community.
Hello, Gitcoiners & Gitcoinerettes! It’s happening again – happy blockchain times are coming to San Francisco 🎉, as the San Francisco…
Heya Gitcoiners & Gitcoinerettes! They say that July is the warmest month of the year (location depending), and we’re definitely getting ready fo…
Gitcoin is GDPR complaint. Learn more in
Gitcoin's Terms & Conditions.
Check out the Issue Explorer
Looking to fund some work? You can submit a new Funded Issue here.
This issue represents the latest bug bounty in the MetaMask bug bounty program.
We will pay out this issue and bounty to any user who is able to identify a dependency update we have merged that includes malicious code designed to illegitimately access user keys.
Since this bounty is only good for code we have merged but not yet deployed, to participate in this program it will be useful to be notified about our latest release candidates before they are published.
We have a new release candidate up with many new dependency updates ([introduced in this PR](I recommend the use of a dependency-diffing tool in particular for finding potential introduced vulnerabilities by this change, like [npmfs](https://npmfs.com/).)), making it a prime candidate for this bounty. We are keeping this release candidate up for a full week, maximizing the opportunity that this bounty can be filled!:
[NpmFS](https://npmfs.com/) is a great tool for analyzing the differences between npm modules at two release versions, and could be useful in pursuing this bounty.
We have created a new twitter account, [MetaMask Bot](https://twitter.com/metamask_bot), for posting about pending releases, which should also be useful to interested bounty hunters. A simple [IFTTT twitter notification](https://ifttt.com/applets/204592p-get-an-if-notification-everytime-a-username-you-pick-tweets) can allow you to receive these updates via the messenging platform of your choice.