Hackus,safely.

MettaPay welcomes security research. Email security@mettapays.com. We commit to working with you in good faith.

We will not pursue legal action against researchers who, in good faith, comply with this policy. Activity conducted in line with this policy is considered authorized, and we will work with you to understand and resolve issues quickly.

• mettapays.com and subdomains operated by MettaPay
• MettaPay smart contracts deployed by Metta Protocol LLC
• MettaPay APIs and authenticated endpoints

• Third-party services we integrate with (report to those vendors directly)
• Denial-of-service attacks, volumetric or otherwise
• Social engineering of MettaPay employees, contractors, or users
• Physical attacks against MettaPay property or staff
• Findings derived from automated scanners with no demonstrated impact
• Missing best-practice headers without a working exploit

• Do not access, modify, or delete user data beyond what is needed to demonstrate the issue
• Use only test accounts you own
• Stop testing and report immediately if you encounter sensitive data
• Give us reasonable time to remediate before public disclosure (we target 90 days)

• Acknowledge your report within 5 business days
• Provide a triage decision within 10 business days
• Keep you informed of remediation progress
• Credit you on our Security page, with your permission

MettaPay does not currently operate a paid bug bounty program. We may, at our discretion, offer recognition or compensation for high-impact reports. A formal program is planned post-audit.