Security Disclosure Policy

Matrix.org greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect Matrix’s user-base from the impact of security issues. On our side, this means:

• We will respond to security incidents as a priority.
• We will fix the issue as soon as is practical, keeping in mind that not all risks are created equal.
• We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability in Matrix, we ask that you disclose it responsibly by emailing [email protected]. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt the security team will:

• Review the report, verify the vulnerability and respond with confirmation and/or further information requests; we typically reply within 24 hours.
• Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.

The Matrix.org Foundation does not currently provide a bug bounty, though organisations building on top of Matrix may do so in future. We do, however, maintain a Hall of Fame to recognise those who have responsibly disclosed security issues to us in the past.

Hall of Fame

2020-07-02 - Synapse - Quentin Gliech
A clickjacking vulnerability in the single-sign-on flow in Synapse. Fixed in Synapse 1.15.2.
2020-05-10 - Matrix React SDK - Quentin Gliech
A CSRF attack leading to potential unauthorised access to accounts on servers using single-sign-on flows. Fixed as part of matrix-react-sdk#4685, released in Riot/Web 1.6.3.
2020-05-03 - e2e spec - David Wong
A vulnerability in the SAS verification protocol failing to bind the ephemeral public keys. Fixed in MSC2630, which lists the fixed client versions.
2020-03-03 - Synapse - Rhys Davies
An open redirect vulnerability affecting single sign-on flows. Fixed in Synapse 1.11.1
2019-05-02 - sydent - Enguerran Gillier
HTML injection in email invites. A malicious 3rd party invite could inject unescaped HTML into the email template. Fixed in Sydent 1.0.3
2019-05-02 - synapse - Enguerran Gillier
SSRF in the URL preview API, which did not blacklist access to 0.0.0.0/32 or ::/128 by default. Fixed in Synapse 0.99.3.1
2019-05-02 - synapse - Enguerran Gillier
Insecure pseudo-random number generator in synapse meant that an attacker might be able to predict random values. Fixed in Synapse 0.99.3.1
2019-05-02 - sydent - Enguerran Gillier
Insecure pseudo-random number generator in sydent meant that an attacker could predict authentication tokens. Fixed in Sydent 1.0.3
2019-04-22 - Riot/Android - Julien Thomas - Protektoid Project
Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated here.
2019-04-20 - Sydent - fs0c131y
Sydent sesssion ids were predictable, meaning it was possible to infer the total number of validations and also check if an address had been validated. Mitigated here.
2019-04-18 - Sydent - fs0c131y
An email validation exploit in Sydent. For more details see here and CVE-2019-11340.
2019-04-09 - Infrastructure - Jaikey Sarraf
Identified a unpatched RCE vulnerability in Matrix.org's public-facing Jenkins. It transpired the vulnerability had been exploited by an attacker.
2018-12-06 - Synapse - Brian Hyde
XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run arbitrary code in the domain of the content repository. Mitigated here.
2018-02-19 - Matrix React SDK - rugk
Origin check of ScalarMessaging postmessage API was insufficient. Mitigated here.

If you think you should be on the list, apologies if we missed you, please mail us at [email protected]