Security Disclosure Policy
Matrix.org greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect Matrix’s user-base from the impact of security issues. On our side, this means:
- We will respond to security incidents as a priority.
- We will fix the issue as soon as is practical, keeping in mind that not all risks are created equal.
- We will always transparently let the community know about any incident that affects them.
If you have found a security vulnerability in Matrix, we ask that you disclose it responsibly by emailing [email protected]. Please do not discuss potential vulnerabilities in public without validating with us first.
On receipt the security team will:
- Review the report, verify the vulnerability and respond with confirmation and/or further information requests; we typically reply within 24 hours.
- Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.
The Matrix.org Foundation does not currently provide a bug bounty, though organisations building on top of Matrix may do so in future. We do, however, maintain a Hall of Fame to recognise those who have responsibly disclosed security issues to us in the past.
Hall of Fame
Misconfigured X-Frame in New Vector internal infrastructure could lead to Clickjacking
An issue where encrypted state events could break incoming call handling. Fixed in
Element 1.7.5An issue where an unexpected language ID in a code block could cause Element to crash. Fixed in
Element 1.7.3A clickjacking vulnerability in the single-sign-on flow in Synapse. Fixed in
Synapse 1.15.2.
An issue where replying to a specially formatted message would make it seem like the replier said something they did not. Fixed in
Element 1.7.3A CSRF attack leading to potential unauthorised access to accounts on servers using single-sign-on flows. Fixed as part of
matrix-react-sdk#4685, released in Riot/Web 1.6.3.
A vulnerability in the SAS verification protocol failing to bind the ephemeral public keys. Fixed in
MSC2630, which lists the fixed client versions.
An open redirect vulnerability affecting single sign-on flows. Fixed in Synapse 1.11.1
HTML injection in email invites. A malicious 3rd party invite could inject unescaped HTML into the email template. Fixed in Sydent 1.0.3
SSRF in the URL preview API, which did not blacklist access to 0.0.0.0/32 or ::/128 by default. Fixed in Synapse 0.99.3.1
Insecure pseudo-random number generator in synapse meant that an attacker might be able to predict random values. Fixed in Synapse 0.99.3.1
Insecure pseudo-random number generator in sydent meant that an attacker could predict authentication tokens. Fixed in Sydent 1.0.3
Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated
here.
Sydent sesssion ids were predictable, meaning it was possible to infer the total number of validations and also check if an address had been validated. Mitigated
here.Identified a unpatched RCE vulnerability in Matrix.org's public-facing Jenkins. It transpired the vulnerability had been
exploited by an attacker.
XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run arbitrary code in the domain of the content repository. Mitigated
here.2018-02-19 - Matrix React SDK - rugk Origin check of ScalarMessaging postmessage API was insufficient. Mitigated
here.
If you think you should be on the list, apologies if we missed you, please mail us at [email protected]
