Bountytalk Launched

Author Topic: Mattermost Bug Bounty [$150]  (Read 1916 times)


  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
Mattermost Bug Bounty [$150]
« on: April 20, 2023, 07:36:27 PM »
Submit bug report:

Mattermost Bug Bounty Program
Mattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.
Eligibility & Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Program Rules
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:
Generating abuse requests
Submission of support, sales or other requests to 3rd party systems
Mass creation of trial and/or free instances on cloud
Mass creation of users, groups, and projects within a single instance
Spam-like or other high volume activity
Submission of any sort of malicious posts on any of our community servers
Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at and quick installation instructions available at
Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.

Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.
Our rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the CVSS calculator.
Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.
Third Party Dependencies and Standard Libraries
Reports on vulnerabilities whose root cause is in 3rd party dependencies or standard libraries on which our products are built or run on will be considered for a bounty reward only if these conditions apply:
A working proof of concept exploit is submitted
A reasonable time has passed (30 to 90 days based on severity) after the vulnerability in the dependency or its upstream fix has been made public.
Out of Scope:
Mattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:
Any violations of our Program Rules
Brute force attacks. Example: Guessing a user's password
Disclosure of server or software version numbers
Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance
Phishing using Unicode homoglyphs or RTLO characters
Issues with the SPF, DKIM or DMARC records (except from
CSV/Formula Injection
Attacks requiring physical access to the victim's computer
Adversary-in-the-middle attacks
Distributed Denial of Service
Content spoofing
Social Engineering, including phishing
Email flooding
Issues related to XMLRPC
Unconfirmed reports from automated vulnerability scanners
Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system
Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps
Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account
Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks
Reports about system users having scoped elevated permissions by default when there is a configuration option to restrict it, if needed
Known issues (not worth reporting):
The following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:
It's possible for unauthenticated users to determine which email addresses do and don't have accounts
Information disclosure related to cross-team isolation
OAuth applications don't yet support scopes and can do anything the authenticated user can do
Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public
Hyperlink Injection in the emails sent to the users
System Admins are allowed to perform any actions on the system
Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary
EXIF metadata not being stripped from images
Race conditions that lead to bypassing the limit
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Mattermost and our users safe!
« Last Edit: April 26, 2023, 06:12:41 PM by Angelina »