Rocket.Chat is committed to delivering an awesome and secure chat solution for, and aided by, our community. Given the nature of chat, we understand each person using Rocket.Chat has some expectation about their data being secure and private. It's clear how important this is to everyone, and we work to the best of our abilities to ensure your expectations are met. If you believe you've found a security issue in our source code, we encourage you to notify us. Our security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Please do not conduct testing against Rocket.Chat demo server and do not use it to develop Proof-of-Concept code for submitting reports. Please use your own Rocket.Chat installation for screen captures, logs, and videos showing vulnerabilities.

• Provide as many relevant details as you can, in particular:

• 1) What versions of software are involved;

• 2) What steps someone can follow to go from an initial installation of that software to a point where they see the vulnerability;

• 3) Any patches or steps to mitigate the problem.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service

• Spamming

• Automated scanning of any kind

• Rocket.Chat Community Server (https://open.rocket.chat)

• Static website (https://rocket.chat)

• Missing Security Headers (eg. HSTS, CSP)

• Missing Secure Flags on Cookies

• SSL issues (weak ciphers/key-size/BEAST/CRIME)

• CSRF without any security impact

• Rate Limiting (unless it constitutes a significant risk)

• Email sending checks

• Social engineering (including phishing) of Rocket.Chat staff or contractors

• Any physical attempts against Rocket.Chat property or data centers

Thank you

Rocket.Chat is very grateful for your help in responsibly disclosing vulnerabilities and keeping our users safe! If your work helps us improve the security of our service, we'd be happy to acknowledge your contribution in our Whitehat Hall of Fame.