submit bug report
Responsible Disclosure Policy
Safety and data security is of utmost priority for the Mattermost community. If you are a security researcher and have discovered a security vulnerability in our code base, we appreciate your help in disclosing it to us in a responsible manner.
Please contact us to report any security vulnerabilities found in our community test server, any of the open source code bases maintained by Mattermost, or any of our commercial offerings.
Please refrain from requesting compensation for reporting vulnerabilities.
We will acknowledge receipt of your vulnerability report and send you regular updates about our progress.
If your report is reproducible as an exploit and results in a change to the code base or documentation of a Mattermost product, we will–at your option–publicly acknowledge your responsible disclosure.
After a fix is made, we ask security researchers to wait 30 days after a release before announcing the specific details of a vulnerability, and to provide Mattermost with a link to any such announcements. In releases containing security fixes, Mattermost announces an update is available, acknowledges the contributions of security researches, and it withholds specific details until 30 days after availability to give time for the community to apply updates.
You are not allowed to search for vulnerabilities on any instance of Mattermost hosted by the team, users, or customers with the exception of non-disruptive testing on the community test server mentioned above.
Mattermost is open source software, you can install a copy yourself and test against that. If you want to perform testing that might break things please contact us to arrange access to a private staging server, so you don’t disrupt other people’s work on the community test server.
Many thanks to the security researchers who have responsibly contributed their findings to make the Mattermost code base more secure (listed by number of contributions, then alphabetically).
Security Research Hall of Fame:
Juho Nurminen (33 contributions)
Rohitesh Gupta (28 contributions)
Frans Rosén (12 contributions)
Andreas Lindh (11 contributions)
Christopher Brown (10 contributions)
Yoni Ramon from Tesla security team (7 contributions)
Joram Wilander (6 contributions)
Foobar7 (6 contributions)
Harrison Healey (6 contributions)
George Goldberg (4 contributions)
Martijn Korse, Jelle Kroon, Ömer Coskun, and Bernardo Maia Rodrigues of the KPN Red Team (4 contributions)
Christopher Speller (3 contributions)
Daniel Schalla (3 contributions)
Roman Shchekin (3 contributions)
Uchida Taishi (3 contributions)
Bastian Ike (2 contributions)
Brad Berkemier (2 contributions)
Csaba Fitzl (2 contributions)
Đặng Minh Trí (2 contributions)
Dibyajyoti Dutta (2 contributions)
Đỗ Minh Tuấn & Thanh Nguyen Van Tien (2 contributions)
Elias Nahum (2 contributions)
Eric Sethna (2 contributions)
Leandro Chaves (brdoors3) (2 contributions)
Philippe Antoine (2 contributions)
Sebastian Raff (2 contributions)
TheSecurityDev (2 contributions)
vultza (2 contributions)
Aaditya Purani
Abhisek Datta
Adam Pritchard
Adrian (thiefmaster)
Agniva de Sarker
Alex Garbutt
Alyssa Milburn
Andrea zi0Black Cappa of Shielder
Andrey Dyatlov from Wargaming
Aryan Rupala
Ashish Padelkar
Ashish Pathak
Ashley Hull
Ben Burke
Boyd Ansems of the KPN Red Team
Bruno Bierbaumer
Carlos Tadeu Panato Junior
Christer Mjellem Strand
Claudio Costa
Daniel Espino Garcia
David Dworken
Doug Lauder
Douglas Banyai
Elnerd
Erlend Leiknes from mnemonic as
Ernst Kloppenburg
Eva Sarafianou
Florian Orben
Francisco Correa
Hagai Wechsler from WhiteSource
Imamul Mursalin
James Hall from MDSec Labs
Jan Wissmann
Jesse Hallam
Jesús Espino
Jim Hebert of Fitbit Security
Jo Astoreca
Johannes Eichner
Jonas Arneberg
Jonathan (0xghostwriter)
Jorge Ferreira, Wilberto Filho, Julio Fort and Patrick Sukop from Blaze Information Security
Juho Nurminen
Julien Ahrens
Kolja Lampe
Kyriakos Ziakoulis
Lev Brouk
Linda Mitchell
Lindsay Brock
Luca Carettoni of Doyensec
Luke Arntson
Martin Kraft
Matt Moses
Mikael Berthe
Mohammad Razavi
Nathan Lowe, Scott Payne and Jeff Ziegener of Hyland Software
Paal Braathen
Pabloß
Paddy Steed
Paul Harrison
Pawan Lal
Rohit KC
Sheikh Rishad
Soroush Dalili of the NCC Group
Steve MacQuiddy from Tesla
Stylianos Rigas
Sunny Kumar
Tobias Gruetzmacher
Veshraj Ghimire
Vishwaraj Bhattrai
Ada
akash-hamal
AT1ZT0
BhaRat
DummyThatMatters
edu (enovella)
esosnov
intrigus
mga_bobo
mr_anon
p3rr0
redacted_co
RyotaK
sbruckmann
sekharlee
severus
vincentbab
whitehattushu
xpx
zerodivisi0n
Zonduu
See the Mattermost Security Updates page for a list of security updates by release.
