Security Disclosure Policy

Matrix.org greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect Matrix’s user-base from the impact of security issues. On our side, this means:

  • We will respond to security incidents as a priority.
  • We will fix the issue as soon as is practical, keeping in mind that not all risks are created equal.
  • We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability in Matrix, we ask that you disclose it responsibly by emailing [email protected]. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt the security team will:

  • Review the report, verify the vulnerability and respond with confirmation and/or further information requests; we typically reply within 24 hours.
  • Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.

The Matrix.org Foundation does not currently provide a bug bounty, though organisations building on top of Matrix may do so in future. We do, however, maintain a Hall of Fame to recognise those who have responsibly disclosed security issues to us in the past.

Hall of Fame

    2019-05-02 - sydent - Enguerran Gillier
    HTML injection in email invites. A malicious 3rd party invite could inject unescaped HTML into the email template. Fixed in Sydent 1.0.3
    2019-05-02 - synapse - Enguerran Gillier
    SSRF in the URL preview API, which did not blacklist access to 0.0.0.0/32 or ::/128 by default. Fixed in Synapse 0.99.3.1
    2019-05-02 - synapse - Enguerran Gillier
    Insecure pseudo-random number generator in synapse meant that an attacker might be able to predict random values. Fixed in Synapse 0.99.3.1
    2019-05-02 - sydent - Enguerran Gillier
    Insecure pseudo-random number generator in sydent meant that an attacker could predict authentication tokens. Fixed in Sydent 1.0.3
    2019-04-22 - Riot/Android - Julien Thomas - Protektoid Project
    Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated here.
    2019-04-20 - Sydent - fs0c131y
    Sydent sesssion ids were predictable, meaning it was possible to infer the total number of validations and also check if an address had been validated. Mitigated here.
    2019-04-18 - Sydent - fs0c131y
    An email validation exploit in Sydent. For more details see here and CVE-2019-11340.
    2019-04-09 - Infrastructure - Jaikey Sarraf
    Identified a unpatched RCE vulnerability in Matrix.org's public-facing Jenkins. It transpired the vulnerability had been exploited by an attacker.
    2018-12-06 - Synapse - Brian Hyde
    XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run arbitrary code in the domain of the content repository. Mitigated here.
    2018-02-19 - Matrix React SDK - rugk
    Origin check of ScalarMessaging postmessage API was insufficient. Mitigated here.

If you think you should be on the list, apologies if we missed you, please mail us at [email protected]