MyCrypto is a cryptocurrency interface (commonly referred to as a "wallet") that allows people to interact with their cryptocurrency assets in a user-friendly way.
We do not take custody of any customer's assets, nor do we collect personally-identifiable information about any of our customers. The user's private keys and
passwords are never saved, stored anywhere, or transferred.
Our security policy is centered around ensuring our software allows people to safely and privately interact with their own assets. We want to ensure nothing unexpected happens that could result in a user losing their assets in an unexpected way—whether that is via a third-party or malicious actor or their own actions.
MyCrypto looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. We are particularly interested in vulnerabilities found in the application layer, but any vulnerability across our stack that could lead to compromise of user funds is within scope (except as listed in "Out of Scope"). We are always appreciative when you share insights that will make our product safer, even if they aren't specifically in scope.
Toegther we can make the cryptocurrency space safer.
Vulnerability Response Process
- Please refrain from committing the following acts, as they will not be recognized as an exploit on our platform:
- Denial of Service attacks to any servers running MyCrypto software, 3rd party software we rely on (such as our Geth and Parity nodes), or APIs we rely on.
- Social engineering manipulation of MyCrypto staff members or contractors.
- Attempts to gain physical access to hardware that MyCrypto uses.
- We have acknowledged receipt of the report
- You have given us enough time from responsible disclosure (90 days) to patch.
Avenues to Contact
- Email: firstname.lastname@example.org - PGP fingerprint: 3005 29EC 5558 495B 6298 F347 389C 5789 B2A4 1011
MyCrypto will make a best effort to meet the following SLAs for hackers participating in our program:
- Time to first response (from report submit) - 3 business days
- Time to triage (from report submit) - 9 business days
- A ticket is opened with details about the vulnerability (outlining the impacts) and enough information to replicate it.
- If there is not enough information to replicate the issue, we will ask for more
- We will contact you if your issue:
- Has already been noticed internally and is included in a scheduled release (a public acknowledgment will still be made to reporters who have opened a ticket about it before release)
- Is either out-of-scope or a non-issue - the process will halt here until the issue becomes in-scope/a valid vulnerability.
- HIGH - Example: User funds are at risk of being taken maliciously or user secrets are at risk of being exposed - anything that directly affects user funds/secrets with ease.
- MEDIUM - Example: Exploits in the software that give the user bad data, which could lead users to take actions that expose themselves to risk.
- LOW - Example: Issues that are low impact to users or are extremely hard to do (e.g., needing very specific hardware)
- The vulnerability is still to be treated as private
- The researcher is given a private branch to verify the patch (if code related - this could be a staging URL for the patch) or asked to verify externally (if infrastructure related)
- A release date is internally discussed and set
Post-Release Disclosure Process
- The team has 90 days to go through the life cycle of a valid vulnerability report and issue a patch to production.
- The published vulnerability announcement will acknowledge the reporter(s)
- The reporter will be named by default, but can be kept anonymous upon request
- The published announcement will detail:
- The project affected (repository name / infrastructure descriptor)
- The versions of software known to be affected
- The versions of software known not to be affected (e.g., exploit was unintentionally introduced in v1.5 - anything prior to this version is unaffected)
- The versions of software that were not checked (e.g., versions that are now considered EOL by the MyCrypto team)
- Any mitigating factors (e.g., the vulnerability is only present in non-default configurations on a specific environment)
MyCrypto currently has no set standards for rewards at this time. We do have a budget, an amazing amount of swag, and our gratitude to
offer. Rewards, when applicable, will be considered on a case-by-case basis and are at the sole discretion of MyCrypto. If your report
has been considered for a reward, this will be communicated to you via email.
As we have security researchers on our team, we are very conscious of rewarding those who take the time and effort to protect us and our users.
Latest executables can be found https://github.com/MyCryptoHQ/MyCrypto/releases/latest. Previous versions can be found listed https://github.com/MyCryptoHQ/MyCrypto/releases/ - or you can build yourself
Beta is updated if we have a sizable number of changes to implement (i.e.: large refactors, how interaction works). It could be outdated with the current production version by a lot so vulnerabilities with the source could already be patched.
MyCrypto is a cryptocurrency interface that allows people to interact with their cryptocurrency assets in a way that is more user-friendly than other solutions. We do not hold custody of any customer's assets nor do we collect personally-identifiable information about any of our customers, so our security policy is centered on how well our software allows people to safely and privately interact with their own assets.
This is our knowledge base and contact form for handling support tickets. It is our source of truth that we direct users to learn about our products.
This is a simple GUI product page to detail our desktop app. For vulnerabilities for the desktop app, see the "Executable" type named "MyCrypto Desktop".
This is an interface to use the Simplex widget, MyCrypto branded. Private data is handled by them.
This is a directory of known cryptocurrency related scams.
This is a directory of known cryptocurrency related scams.
|iOS: App Store||
Ambo.io is a product page for Ambo mobile apps.
This is the network proxy between third-party APIs and the Ambo app.