Mattermost Bug Bounty Program

======================

Mattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.

Eligibility & Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Follow HackerOne's disclosure guidelines.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Program Rules

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:

  • Generating abuse requests

  • Submission of support, sales or other requests to 3rd party systems

  • Mass creation of trial and/or free instances on cloud

  • Mass creation of users, groups, and projects within a single instance

  • Spam-like or other high volume activity

  • Submission of any sort of malicious posts on any of our community servers

• Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html.

• Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.

Accounts

• You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.

Scope

• Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.

Rewards

Our rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the CVSS calculator.

Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.

Out of Scope:

Mattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:

• Any violations of our Program Rules

• Brute force attacks. Example: Guessing a user's password

• Disclosure of server or software version numbers

• Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance

• Phishing using Unicode homoglyphs or RTLO characters

• Issues with the SPF, DKIM or DMARC records (except from mattermost.com)

• CSV/Formula Injection

• Attacks requiring physical access to the victim's computer

• Man-in-the-middle attacks

• Distributed Denial of Service

• Content spoofing

• Social Engineering, including phishing

• Email flooding

• Issues related to XMLRPC

• Unconfirmed reports from automated vulnerability scanners

• Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system

• Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps

• Open Redirects without demonstrating additional security impact (such as stealing auth tokens)

• Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

• Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account

• Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks

Known issues (not worth reporting):

The following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:

• It's possible for unauthenticated users to determine which email addresses do and don't have accounts

• Information disclosure related to cross-team isolation

• OAuth applications don't yet support scopes and can do anything the authenticated user can do

• Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public

• Hyperlink Injection in the emails sent to the users

• System Admins are allowed to perform any actions on the system

• Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary

• EXIF metadata not being stripped from images

• Race conditions that lead to bypassing the limit

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Mattermost and our users safe!