Rocket.Chat is committed to delivering an awesome and secure chat solution
for, and aided by, our community. Given the nature of chat, we understand each
person using Rocket.Chat has some expectation about their data being secure
and private. It's clear how important this is to everyone, and we work to the
best of our abilities to ensure your expectations are met. If you believe
you've found a security issue in our source code
__, we encourage you to notify us.
Our security team will respond to confirm receipt of your message, review and
plan the mitigation of the issue appropriately, as well as set a timeline for
a new release or patch.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Please do not conduct testing against Rocket.Chat demo server and do not use it to develop Proof-of-Concept code for submitting reports. Please use your own Rocket.Chat installation for screen captures, logs, and videos showing vulnerabilities.
- Provide as many relevant details as you can, in particular:
- 1) What versions of software are involved;
- 2) What steps someone can follow to go from an initial installation of that software to a point where they see the vulnerability;
- 3) Any patches or steps to mitigate the problem.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Automated scanning of any kind
- Rocket.Chat Community Server (https://open.rocket.chat __)
- Static website (https://rocket.chat __)
- Missing Security Headers (eg. HSTS, CSP)
- Missing Secure Flags on Cookies
- SSL issues (weak ciphers/key-size/BEAST/CRIME)
- CSRF without any security impact
- Rate Limiting (unless it constitutes a significant risk)
- Email sending checks
- Social engineering (including phishing) of Rocket.Chat staff or contractors
- Any physical attempts against Rocket.Chat property or data centers
Rocket.Chat is very grateful for your help in responsibly disclosing
vulnerabilities and keeping our users safe! If your work helps us improve the
security of our service, we'd be happy to acknowledge your contribution in our
Whitehat Hall of Fame.