Security is one of the core focus areas of the development team. To build on the work we already do with security experts and independent researchers, we want to leverage the expertise of the community through our HackerOne bounty scheme.
You can access it at hackerone.com/metamask.
The scheme only applies to security vulnerabilities. If you have a non-security-related bug, please report it on GitHub.
If you believe you've found a vulnerability, please do not discuss it publicly, especially on social media platforms. Instead, head directly to the MetaMask HackerOne page to report the issue.
For more information, please see metamask.io/security.