Security Disclosure Policy

Matrix.org greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect Matrix’s user-base from the impact of security issues. On our side, this means:

  • We will respond to security incidents as a priority.
  • We will fix the issue as soon as is practical, keeping in mind that not all risks are created equal.
  • We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability in Matrix, we ask that you disclose it responsibly by emailing [email protected]. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt the security team will:

  • Review the report, verify the vulnerability and respond with confirmation and/or further information requests; we typically reply within 24 hours.
  • Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.

The Matrix.org Foundation does not currently provide a bug bounty, though organisations building on top of Matrix may do so in future. We do, however, maintain a Hall of Fame to recognise those who have responsibly disclosed security issues to us in the past.

Hall of Fame

    2020-09-20 - Synapse - Denis Kasak
    HTML injection in login fallback endpoints could be used for a Cross-site-scripting attack (CVE-2020-26891). Fixed in Synapse 1.21.0.
    2020-09-09 - New Vector Infrastructure - Pritam Mukherjee
    Misconfigured X-Frame in New Vector internal infrastructure could lead to Clickjacking
    2020-08-14 - Element - awesome-michael - Awesome Technologies
    An issue where encrypted state events could break incoming call handling. Fixed in Element 1.7.5
    2020-07-29 - Element - TR_SLimey
    An issue where Element Android was leaking PII. Fixed in Element Android 1.0.5
    2020-07-20 - Element - SakiiR
    An issue where an unexpected language ID in a code block could cause Element to crash. Fixed in Element 1.7.3
    2020-07-14 - Synapse - Denis Kasak
    Invalid JSON could become part of the room state, acting as a denial of service vector (CVE-2020-26890). Fixed in Synapse 1.20.0. Disclosed 2020-11-23.
    2020-07-02 - Synapse - Quentin Gliech
    A clickjacking vulnerability in the single-sign-on flow in Synapse. Fixed in Synapse 1.15.2.
    2020-06-18 - Element - Sorunome
    An issue where replying to a specially formatted message would make it seem like the replier said something they did not. Fixed in Element 1.7.3
    2020-05-10 - Matrix React SDK - Quentin Gliech
    A CSRF attack leading to potential unauthorised access to accounts on servers using single-sign-on flows. Fixed as part of matrix-react-sdk#4685, released in Riot/Web 1.6.3.
    2020-05-03 - e2e spec - David Wong
    A vulnerability in the SAS verification protocol failing to bind the ephemeral public keys. Fixed in MSC2630, which lists the fixed client versions.
    2020-03-03 - Synapse - Rhys Davies
    An open redirect vulnerability affecting single sign-on flows. Fixed in Synapse 1.11.1
    2019-05-02 - sydent - Enguerran Gillier
    HTML injection in email invites. A malicious 3rd party invite could inject unescaped HTML into the email template. Fixed in Sydent 1.0.3
    2019-05-02 - synapse - Enguerran Gillier
    SSRF in the URL preview API, which did not blacklist access to 0.0.0.0/32 or ::/128 by default. Fixed in Synapse 0.99.3.1
    2019-05-02 - synapse - Enguerran Gillier
    Insecure pseudo-random number generator in synapse meant that an attacker might be able to predict random values. Fixed in Synapse 0.99.3.1
    2019-05-02 - sydent - Enguerran Gillier
    Insecure pseudo-random number generator in sydent meant that an attacker could predict authentication tokens. Fixed in Sydent 1.0.3
    2019-04-22 - Riot/Android - Julien Thomas - Protektoid Project
    Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated here.
    2019-04-20 - Sydent - fs0c131y
    Sydent sesssion ids were predictable, meaning it was possible to infer the total number of validations and also check if an address had been validated. Mitigated here.
    2019-04-18 - Sydent - fs0c131y
    An email validation exploit in Sydent. For more details see here and CVE-2019-11340.
    2019-04-09 - Infrastructure - Jaikey Sarraf
    Identified a unpatched RCE vulnerability in Matrix.org's public-facing Jenkins. It transpired the vulnerability had been exploited by an attacker.
    2018-12-06 - Synapse - Brian Hyde
    XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run arbitrary code in the domain of the content repository. Mitigated here.
    2018-02-19 - Matrix React SDK - rugk
    Origin check of ScalarMessaging postmessage API was insufficient. Mitigated here.

If you think you should be on the list, apologies if we missed you, please mail us at [email protected]