Audit requirements are changing. Here's what that means for your Snap.

[Montoya]

It's been almost 8 months since the launch of MetaMask Snaps. In that time, we have seen:

• 55 Snaps developed by 3rd party developers and listed in our official directory
• Over 800k installs across all Snaps

Since the launch, we have been looking at the various permissions available to developers and exploring ways to make the allowlisting process easier while still keeping MetaMask users safe. In the spirit of this approach, I am excited to announce an updated allowlist process for 3rd party Snaps. With this new process, any Snap that does not use key management permissions will not require a security audit. Furthermore, a subset of Snaps can now be installed by anyone without inclusion on our allowlist (more information on this below). We still encourage all Snap developers to consider getting 3rd party security audits as these audits demonstrate a commitment to secure coding practices and give users peace of mind.

We encourage all developers to review our guide to getting allowlisted and reach out to our builder engagement team if you have questions.

More on "open permissions"

The following is a list of permissions that do not require allowlisting:

• endowment:cronjob
• endowment:ethereum-provider
• endowment:lifecycle-hooks
• endowment:page-home
• endowment:signature-insight
• endowment:transaction-insight
• snap_dialog
• snap_getLocale
• snap_manageState
• snap_notify

If your Snap only uses permissions from this list, it can be installed in the MetaMask extension without inclusion on the allowlist. Any permissions not on this list are protected permissions and will require allowlisting.