In scope are the latest releases of all Matrix software listed in the domains section.
The following SDKs might also be of interest since they are used in the client implementations referenced above:
However, any vulnerabilities that you find in these need to be exploitable through the clients in order to qualify for a bounty.
We are especially interested in remote code execution, federation breaking attacks and leaks of encrypted information. Please refer to the Severity assessment section below for more details.
Use of automated tools
Since this bug bounty is primarily about source code, clever usage of automated tools such as fuzzers and static analysis tools is allowed and encouraged.
However, do not forget that blindly pasting the output of such a tool is not a substitute for a report.
No public testing
Please do not test on public Matrix homeservers nor public Element Web instances. Reports which were tested in such a manner will be rejected and no bounty will be paid.
Instead, set up a local instance of Synapse. For this, you can use the official Docker image.
Similarly, there is a public Docker image for running a local instance of Element Web (instructions here).
Bonus policy
The European Commission offers a 20% bonus on top of a vulnerability payout if the reporter provides a fully working fix that is committed and accepted by the community.