-
Notifications
You must be signed in to change notification settings - Fork 637
Audits
If your Snap uses key management permissions, you will need an audit before it can be allowlisted.
You may work with any auditor on this list. Feel free to contact multiple auditors and request quotes.
| Company Name | Primary Contact Name | Primary Contact Email |
|---|---|---|
| Diligence | Davit Kobakhidze | [email protected] |
| Cure53 | Dr. Mario Heiderich | [email protected] |
| Hacken | Kostiantyn Harniuk | [email protected] |
| Kudelski Security | Alex Kopferschmitt | [email protected] |
| Ottersec | Alex Donn | [email protected] |
| Sayfer | Nir Duan | [email protected] |
| Slowmist | Jeff Liu | [email protected] |
| Veridise | Amber Huang | [email protected] |
For most Snaps, the scope is limited to the Snap code base. For example, if your Snap has a companion dapp, the dapp code is not required to be audited. However, in some cases where the Snap relies on modules that are critical to the Snap functionality, such as an MPC wallet Snap, then the audit scope should also include the MPC algorithm.
After the audit is complete, you should mitigate any issues of “medium” risk or greater. Please make sure that the audit report contains the commit or version hash of the code that was audited, the commit or version hash of the updated code with any fixes as applicable, and a complete list of all vulnerabilities identified with corresponding fixes or responses from your team.
Audit costs need to be paid by Snap developers. MetaMask does not cover these costs.
Once you complete the allowlisting process, we trust that you can continue to follow secure coding practices. Thus, we do not require you to get additional audits. The allowlist uses strict versioning, so you will need to inform the MetaMask Snaps team when you have a new version of your Snap on npm. The MetaMask Snaps team will review the update and add it to the allowlist after the review process is complete.