Description

Matrix is an open, federated network for secure, decentralised communication used by both individuals and large governments. Matrix provides state-of-the-art E2E encryption (based on the Double Ratchet Algorithm popularised by Signal) in both 1-on-1 conversations and between many participants. The protocol is suitable not only for messaging and VoIP, but all kinds of use cases requiring exchange of structured data, such as IoT and VR. For more information, visit https://matrix.org/

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 100
€ 1,000
€ 4,000
€ 10,000
€ 15,000
€ 100 - € 15,000
Domains

(Backend) Synapse Homeserver

Tier 2
Other

Synapse is the reference implementation of a Matrix homeserver.
Source available on GitHub at matrix-org/synapse

(Client) Element Android

Tier 2
Other

Element Android is a popular open-source client for Matrix.
It is published in the Google Play Store and on F-Droid.

Source available on GitHub at vector-im/element-android

(Client) Element Desktop

Tier 2
Other

Element Desktop is a popular open-source client for Matrix.
It is implemented as an Electron wrapper around Element Web.

Source available on GitHub at vector-im/element-desktop
Prebuilt binaries available at https://element.io/get-started

(Client) Element iOS

Tier 2
Other

Element iOS is a popular open-source client for Matrix.
It is published in the App Store.

Source available on GitHub at vector-im/element-ios

(Client) Element Web

Tier 2
Other

Element Web is a popular open-source client for Matrix.
Source available on GitHub at vector-im/element-web

(Library) Olm

Tier 2
Other

Matrix’s implementation of the cryptographic double ratchet algorithm.

Source available on matrix.org's Gitlab

(Microservice) Sydent

Tier 2
Other

Sydent is the reference Matrix Identity Server.

Identity servers are components which allow binding third-party identifiers (such as emails and phone numbers) to Matrix identifiers, used for contact discovery.

Source available on Github at matrix-org/sydent

(Microservice) Sygnal

Tier 2
Other

Sygnal is the reference Matrix Push Gateway.

Push gateways are components that receive event notification from Matrix homeservers (such as Synapse) and deliver them as push notifications to clients, e.g. through Firebase.

Source available on Github at matrix-org/sygnal

(Specification) Matrix protocol

Tier 2
Other

The Matrix protocol itself, as defined by its specifications, is also in scope. We are interested in any protocol design issues that pose an inherent security threat to Matrix.

When submitting issues against this target, please be mindful about what you are submitting, with an eye towards the practicality of the suggested weakness/attack.

The specifications in scope include the:

In scope

In scope are the latest releases of all Matrix software listed in the domains section.

The following SDKs might also be of interest since they are used in the client implementations referenced above:

However, any vulnerabilities that you find in these need to be exploitable through the clients in order to qualify for a bounty.

We are especially interested in remote code execution, federation breaking attacks and leaks of encrypted information. Please refer to the Severity assessment section below for more details.

Use of automated tools

Since this bug bounty is primarily about source code, clever usage of automated tools such as fuzzers and static analysis tools is allowed and encouraged.

However, do not forget that blindly pasting the output of such a tool is not a substitute for a report.

No public testing

Please do not test on public Matrix homeservers nor public Element Web instances. Reports which were tested in such a manner will be rejected and no bounty will be paid.

Instead, set up a local instance of Synapse. For this, you can use the official Docker image.

Similarly, there is a public Docker image for running a local instance of Element Web (instructions here).

Bonus policy

The European Commission offers a 20% bonus on top of a vulnerability payout if the reporter provides a fully working fix that is committed and accepted by the community.

Out of scope

Please refrain from:

  • Testing on public Matrix homeservers.
  • Testing through public Element Web instances.
  • Any testing of matrix.org infrastructure.

What follows is a list of issues which are out of scope and not eligible for a bounty.

General

  • Theoretical vulnerabilities without demonstration of impact.
  • Missing best practices without demonstration of impact.
  • Spam, social engineering and physical intrusion.
  • DoS/DDoS through flooding.
  • Vulnerabilities that exclusively affect older browsers (older than 3 most recent versions).
  • Vulnerabilities that do not affect the latest release of software components that are in scope.
  • Attacks requiring physical access to a victim's computer/device.
  • Recently disclosed zero-day vulnerabilities where no patch or a recent patch ($< 2$ weeks) is available. Please give us 2 weeks before reporting these types
    of issues.
  • Reports regarding out of date/vulnerable dependencies without a proof-of-concept.

Web

The following issues are out of scope for Synapse and the web-based clients. However, if some of these issues allow you to execute a more comprehensive attack with demonstrated impact, the overall attack may still be eligible.

  • Self-XSS that cannot be used to exploit other users
  • Verbose server output without disclosure of sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • CSV injection without demonstration of impact
  • Cross-site Request Forgery with no or low impact
  • Missing cookie flags
  • Missing security headers
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Clickjacking on pages with no sensitive actions
  • Host Header Injection
  • Hyperlink injection/takeovers
  • Mixed content type issues
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • HTTP Request smuggling without demonstrated impact
  • Homograph attacks
  • Not stripping metadata of images
  • Disclosing API keys without proven impact

Mobile

The following mobile-specific issues are out of scope:

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions
  • Attacks requiring physical access to the victim's device
Rules of engagement

Our promise to you

  • We will respond to your reports in two weeks, probably faster!
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below.

Your promise to us

  • Provide detailed but to-the point reproduction steps. Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)

Safe harbour for researchers

Matrix / Element considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Matrix / Element will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Matrix / Element will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

In case of multiple reports with the same root cause, only the first submission will be rewarded. The other submissions will be marked as duplicates. If an issue was previously known to the project, it will also be marked as duplicate.

Rewards in this project are categorised according to impact, not according to attack vector.

The list below may be used as a rough guideline for determining issue severity. However, when assessing a vulnerability additional context may apply which may change the severity in either direction.

The list is not meant to be exhaustive so other types of vulnerabilities can still be eligible for a bounty. Be creative!

Exceptional

  • RCE (remote code execution) on any server or client component in scope.
  • Leak of plaintext of encrypted data (e.g. message content) from encrypted rooms.

Critical

  • Federation breaking DoS, especially if persisted (requiring manual intervention to repair).
  • Account takeover with no user interaction.
  • E2EE key stealing attacks.

High

  • Account takeover with minimal user interaction.
  • Executing unauthorized Matrix operations on behalf of another user with no user interaction.
  • Non-persisted federation breaking DoS.

Medium

  • Persisted DoS vectors limited to a single server or client.
  • Persisted (stored) XSS in Element Web/Desktop.
  • Any XSS in Synapse.

Low

  • Non-persisted DoS vectors limited to a single server or client.
  • Reflected XSS or XSS with requiring user interaction in Element Web/Desktop.
FAQ

Where can we get credentials for the app?

We currently don't offer any credentials or public infrastructure suitable for security testing. For this, please set up your own local environment using instructions in the In Scope > No public testing subsection.

However, if you simply want to try out Matrix to see how it works from a user's perspective, you can self-register on this publicly hosted Element Web instance. When doing so, use your @intigriti.me address.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Overall stats
submissions received
79
average payout
€757
accepted submissions
16
total payouts
€12,100
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 3 weeks
avg. time to triage
< 4 days
Activity
4/16
Matrix / Element
closed a submission
4/13
Matrix / Element
accepted a submission
4/12
logo
created a submission
4/9
Matrix / Element
closed a submission
4/8
logo
created a submission
4/3
logo
created a submission
3/31
logo
created a submission
3/30
logo
created a submission
3/29
logo
created a submission
3/28
logo
created a submission