Security Disclosure Policy

Matrix.org greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of coordinated vulnerability disclosure in order to best protect Matrix's user base from the impact of security issues. On our side, this means:

In general, we will aim for a fix within 90 days of receiving your report, but we may propose a longer time frame (usually 120 days) for especially complex vulnerabilities. In some cases, when a vulnerability is particularly disruptive and/or easy to exploit, we may delay publishing technical details for an additional period after the fix is publicly available (usually no longer than 30 days).

If you have found a security vulnerability in Matrix, we ask that you disclose it responsibly by emailing security@matrix.org. Optionally, if you want to encrypt your email, you can use our PGP key. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt, the security team will:

The following is a list of known issues and/or things we do not consider to be an issue. Please do not send reports regarding the following:

The Matrix.org Foundation does not ordinarily provide bug bounties, though organisations building on top of Matrix may do so in future. We maintain a Security Hall of Fame to recognise those who have responsibly disclosed security issues to us in the past.