In scope are the latest releases of all Matrix software listed in the domains section.

The following SDKs might also be of interest since they are used in the client implementations referenced above:

• Matrix iOS SDK, used in Element iOS.
• Matrix iOS Kit, used in Element iOS.
• Matrix Android SDK2, used in Element Android.
• Matrix React SDK, used in Element Web and Element Desktop.
• Matrix JS SDK, used in Element Web and Element Desktop.

However, any vulnerabilities that you find in these need to be exploitable through the clients in order to qualify for a bounty.

We are especially interested in remote code execution, federation breaking attacks and leaks of encrypted information. Please refer to the Severity assessment section below for more details.

Use of automated tools

Since this bug bounty is primarily about source code, clever usage of automated tools such as fuzzers and static analysis tools is allowed and encouraged.

However, do not forget that blindly pasting the output of such a tool is not a substitute for a report.

No public testing

Please do not test on public Matrix homeservers nor public Element Web instances. Reports which were tested in such a manner will be rejected and no bounty will be paid.

Instead, set up a local instance of Synapse. For this, you can use the official Docker image.

Similarly, there is a public Docker image for running a local instance of Element Web (instructions here).

Bonus policy

The European Commission offers a 20% bonus on top of a vulnerability payout if the reporter provides a fully working fix that is committed and accepted by the community.

Please refrain from:

• Testing on public Matrix homeservers.
• Testing through public Element Web instances.
• Any testing of matrix.org infrastructure.

What follows is a list of issues which are out of scope and not eligible for a bounty.

General

• Theoretical vulnerabilities without demonstration of impact.
• Missing best practices without demonstration of impact.
• Spam, social engineering and physical intrusion.
• DoS/DDoS through flooding.
• Vulnerabilities that exclusively affect older browsers (older than 3 most recent versions).
• Vulnerabilities that do not affect the latest release of software components that are in scope.
• Attacks requiring physical access to a victim's computer/device.
• Recently disclosed zero-day vulnerabilities where no patch or a recent patch ($< 2$ weeks) is available. Please give us 2 weeks before reporting these types
  of issues.
• Reports regarding out of date/vulnerable dependencies without a proof-of-concept.

Web

The following issues are out of scope for Synapse and the web-based clients. However, if some of these issues allow you to execute a more comprehensive attack with demonstrated impact, the overall attack may still be eligible.

• Self-XSS that cannot be used to exploit other users
• Verbose server output without disclosure of sensitive information
• CORS misconfiguration on non-sensitive endpoints
• CSV injection without demonstration of impact
• Cross-site Request Forgery with no or low impact
• Missing cookie flags
• Missing security headers
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Clickjacking on pages with no sensitive actions
• Host Header Injection
• Hyperlink injection/takeovers
• Mixed content type issues
• Cross-domain referer leakage
• Anything related to email spoofing, SPF, DMARC or DKIM
• HTTP Request smuggling without demonstrated impact
• Homograph attacks
• Not stripping metadata of images
• Disclosing API keys without proven impact

Mobile

The following mobile-specific issues are out of scope:

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• The absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• API key leakage used for insensitive activities/actions
• Attacks requiring physical access to the victim's device

Our promise to you

• We will respond to your reports in two weeks, probably faster!
• We are happy to respond to any questions, please use the button in the right top corner for this.
• We respect the safe harbour clause that you can find below.

Your promise to us

• Provide detailed but to-the point reproduction steps. Include a clear attack scenario. How will this affect us exactly?
• Remember: quality over quantity!
• Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)

In case of multiple reports with the same root cause, only the first submission will be rewarded. The other submissions will be marked as duplicates. If an issue was previously known to the project, it will also be marked as duplicate.

Rewards in this project are categorised according to impact, not according to attack vector.

The list below may be used as a rough guideline for determining issue severity. However, when assessing a vulnerability additional context may apply which may change the severity in either direction.

The list is not meant to be exhaustive so other types of vulnerabilities can still be eligible for a bounty. Be creative!

Exceptional

• RCE (remote code execution) on any server or client component in scope.
• Leak of plaintext of encrypted data (e.g. message content) from encrypted rooms.

Critical

• Federation breaking DoS, especially if persisted (requiring manual intervention to repair).
• Account takeover with no user interaction.
• E2EE key stealing attacks.

High

• Account takeover with minimal user interaction.
• Executing unauthorized Matrix operations on behalf of another user with no user interaction.
• Non-persisted federation breaking DoS.

Medium

• Persisted DoS vectors limited to a single server or client.
• Persisted (stored) XSS in Element Web/Desktop.
• Any XSS in Synapse.

Low

• Non-persisted DoS vectors limited to a single server or client.
• Reflected XSS or XSS with requiring user interaction in Element Web/Desktop.

Where can we get credentials for the app?

We currently don't offer any credentials or public infrastructure suitable for security testing. For this, please set up your own local environment using instructions in the In Scope > No public testing subsection.

However, if you simply want to try out Matrix to see how it works from a user's perspective, you can self-register on this publicly hosted Element Web instance. When doing so, use your @intigriti.me address.