Introduction to MyCrypto's Security Approach
MyCrypto serves as a user-friendly cryptocurrency interface (commonly called a "wallet") that enables individuals to interact with their digital assets securely. Unlike custodial services, we never take possession of customer funds or collect personally identifiable information. Your private keys and passwords remain exclusively in your control—never stored, saved, or transmitted by our systems.
Our security philosophy focuses on three core principles:
- User Sovereignty: Ensuring software empowers self-custody without unexpected risks
- Privacy Protection: Maintaining strict non-custodial protocols for all transactions
- Proactive Defense: Collaborating with security researchers to strengthen protections
👉 Discover advanced security features that complement non-custodial wallets like MyCrypto
Vulnerability Disclosure Program
Responsible Reporting Guidelines
We welcome security researchers to help improve our systems through ethical disclosure. Our program particularly values findings at the application layer, though any vulnerability potentially endang user funds falls within scope (excluding listed exceptions).
Prohibited Activities:
- Denial-of-service attacks against MyCrypto servers or dependent APIs
- Social engineering targeting staff/contractors
- Physical access attempts to MyCrypto hardware
Preferred Submission Methods:
- Encrypted email: [email protected] (PGP fingerprint: 3005 29EC 5558 495B 6298 F347 389C 5789 B2A4 1011)
- OpenBugBounty platform
Response Team Structure
Our dedicated security team includes:
- Harry Denley (@409h)
- Michael Hahn (@blurpesec)
- Taylor Monahan (@tayvano)
- Mia Alexander (@miagx)
Service Level Commitments
We maintain strict response timelines:
- Initial acknowledgment: Within 3 business days
- Triage completion: Within 9 business days
- Patch deployment: Target resolution within 90 days
Incident Management Protocol
Vulnerability Lifecycle Process
- Submission: Researchers provide reproducible vulnerability details
- Validation: Team confirms technical accuracy and impact
- Classification: Severity assessment (High/Medium/Low)
- Remediation: Patch development with researcher validation
- Disclosure: Coordinated public announcement post-fix
Severity Examples:
| Level | Impact | Example Scenario |
|---|---|---|
| High | Direct funds/secrets exposure | Private key extraction flaw |
| Medium | Indirect risk creation | Misleading transaction data |
| Low | Minimal practical impact | Hardware-specific edge case |
Scope of Coverage
Protected Digital Properties
Desktop Application:
- Current builds: GitHub MyCrypto releases
- Legacy versions: Available in repository history
👉 Explore secure wallet alternatives for comprehensive asset protection
Web Platforms:
| Domain | Purpose | Repository |
|---|---|---|
| mycrypto.com | Marketing/onboarding | MyCryptoHQ/landing |
| app.mycrypto.com | Web interface | MyCryptoHQ/MyCrypto |
| support.mycrypto.com | Knowledge base | MyCryptoHQ/support.mycrypto.com |
| download.mycrypto.com | Desktop app portal | MyCryptoHQ/download.mycrypto.com |
Mobile Applications:
- Ambo iOS wallet (App Store ID 1460081235)
- Network proxy: ambo.herokuapp.com
Scam Databases:
- CryptoScamDB.org (active)
- EtherScamDB.info (archived)
Frequently Asked Questions
Q: How does MyCrypto differ from exchange wallets?
A: We operate as a non-custodial interface—your keys never leave your device, unlike exchange wallets where the platform controls access.
Q: What happens if I discover a vulnerability?
A: Submit via our secure channels. After validation, our team will collaborate on responsible disclosure and potentially offer rewards.
Q: Are third-party MyCrypto forks covered?
A: Only official MyCryptoHQ GitHub repositories and listed domains qualify for our program.
Q: What rewards are available for researchers?
A: While we evaluate each case individually, rewards may include monetary compensation, exclusive swag, and public recognition.
Q: How quickly are critical vulnerabilities patched?
A: High-severity issues receive immediate attention, typically resolved within days depending on complexity.
Q: Can I remain anonymous when reporting?
A: Absolutely—we respect researcher privacy and accommodate anonymous disclosure requests.
Security Partnership Philosophy
We believe collaborative security strengthens the entire cryptocurrency ecosystem. By maintaining transparent protocols and encouraging ethical research, MyCrypto aims to set industry standards for non-custodial wallet protection while empowering users with reliable self-custody tools.