How Scatter stays verifiable and safe
Scatter Desktop keeps approvals local, protects keys with encryption, and ships reproducible builds you can verify. This page covers verification steps, defensive defaults, and how to report vulnerabilities responsibly.
Release integrity and verification
Verify every download before running it. Scatter releases are reproducible, signed, and published only on the official site and GitHub.
Where to download
- Use the download links at get-scatter.org or the official GitHub releases.
- Check filenames and versions against the release notes before installing.
- We do not distribute installers by DM, ads, or third-party mirrors.
Verify signatures and hashes
- Each build ships with
.sha256sumand.ascfiles. - Validate the checksum, then verify the PGP signature with key
0xA3126F54D23B18EF. - Because builds are reproducible, independent parties can confirm the outputs match the published binaries.
Updates and integrity
- Critical security fixes are released promptly and called out in the changelog.
- Scatter Desktop does not auto-run downloads; you stay in control of when to install.
- Reinstalling with a verified build does not recover private keys—keep secure backups.
Protecting keys and approvals
Keys stay encrypted on your device. Approvals are explicit, time-bound, and can be revoked when you no longer trust a dapp.
Local-first storage
- Private keys are encrypted with the password you set; they are never transmitted to Scatter servers.
- Hardware wallet support keeps private material on the device itself—Scatter only relays signing requests.
- Resetting Scatter removes local accounts and permissions; keep offline backups you control.
Approvals you control
- Each signature request is explicit about the chain, network, and data being signed.
- Session keys reduce repeated prompts while keeping scope limited to the dapp you approved.
- You can revoke dapp permissions or switch accounts before approving new actions.
Defense in depth
- Scatter encrypts sensitive data at rest and uses TLS for transport to supported bridges.
- Network metadata is visible before connecting so you can catch misconfigured endpoints.
- We recommend strong OS-level protections: disk encryption, up-to-date antivirus, and locked screens.
Incident response and disclosure
Coordinated disclosure keeps users safe. If you find a vulnerability, tell us quickly and privately so we can ship a fix.
Report securely
- Email security@get-scatter.org with a clear description and steps to reproduce.
- Encrypt sensitive details using our PGP key
0xA3126F54D23B18EF. - Include the Scatter version, OS, and whether the issue affects mainnet or testnet usage.
What to expect
- We acknowledge reports quickly, then share a remediation plan and target timeline when applicable.
- Critical issues that lead to fixes may be rewarded. Coordinated, non-public disclosure is required.
- We may ask for proof-of-concept details to validate impact before shipping a patch.
Staying informed
- Follow the changelog for notes on patched vulnerabilities and security hardening.
- Re-verify new installers after each update using the published checksums and signatures.
- Rotate any credentials or session keys you suspect were exposed before the fix.
User safety checklist
A few habits dramatically reduce risk. Keep these in mind whenever you use Scatter Desktop.
Verify before you trust. Download from official links only, check hashes and signatures, and compare versions to the release notes.
Keep your device clean. Update your OS, use malware protection, and avoid installing unknown browser extensions alongside Scatter.
Protect your password. Use a unique, strong password for Scatter, enable OS disk encryption, and lock your screen when away.
Review prompts carefully. Confirm networks, amounts, and recipients inside Scatter before approving; decline if anything looks off.
Backup responsibly. Store recovery material offline; we cannot restore lost keys or hardware wallets for you.