Safety and data security is of utmost priority for the Mattermost community. If you are a security researcher and have discovered a security vulnerability in our code base, we appreciate your help in disclosing it to us in a responsible manner.
- Please email email@example.com to report any security vulnerabilities found in our community test server, any of the open source code bases maintained by Mattermost, or any of our commercial offerings.
- Please refrain from requesting compensation for reporting vulnerabilities.
- We will acknowledge receipt of your vulnerability report and send you regular updates about our progress.
- If your report results in a change to the code base or documentation of a Mattermost product, we will–at your option–publicly acknowledge your responsible disclosure.
You are not allowed to search for vulnerabilities on any instance of Mattermost hosted by the team, users, or customers with the exception of non-disruptive testing on the community test server mentioned above.
Mattermost is open source software, you can install a copy yourself and test against that. If you want to perform testing that might break things please contact us to arrange access to a private staging server, so you don’t disrupt other people’s work on the community test server.
If you want to encrypt your disclosure email please email us to ask for our PGP key.
Many thanks to the security researchers who have responsibly contributed their findings to make the Mattermost code base more secure (listed by contribution count, then recency).
Security Research Hall of Fame:
- Andreas Lindh (11 contributions)
- Yoni Ramon from Tesla security team (7 contributions)
- Uchida Taishi (3 contributions)
- Bastian Ike (2 contributions)
- Harrison Healey (2 contributions)
- Jim Hebert of Fitbit Security
- Luke Arntson
- Florian Orben
- Paddy Steed
- Ashish Pathak
- Mohammad Razavi
- Steve MacQuiddy from Tesla
- Christer Mjellem Strand
- Jonas Arneberg
- Ashley Hull
- Kolja Lampe
- Alyssa Milburn
See the Mattermost Security Updates page for a list of security updates by release.