Mattermost Security Updates

To report security issues please see the Mattermost Responsible Disclosure Policy. To sign up for notifications when a security fix is released, please join our Security Bulletin mailing list.

Mattermost software undergoes security review and penetration testing by organizations preparing for deployment, by leaders in the global security research community, and through internal review and testing.

Feedback is responsibly shared to the product team in order to offer security updates to the Mattermost community prior to publicly disclosing issues on the Mattermost Security Updates page.

Note: To increase the safety of Mattermost users, specific details on security updates in Mattermost releases are announced 14 days after the availability of the update. We have a mandatory upgrade policy and only provide updates for the latest release.

See security updates for:

Mattermost Server

Please see the Mattermost Upgrade Guide for step-by-step instructions on how to update to the latest release.

Security Updates by Release

Mattermost v5.1, 5.0.2, 4.10.2 (Released 2018-07-16)

  • Security Update #5.1.1.5
    • (Authorization) “invite_people“ slash command would allow any logged in user to invite users to the team/server without checking the relevant permissions. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v5.1 (Released 2018-07-16)

  • Security Update #5.1.1.6
    • (Authorization) Message slash command would allow user to create direct message channels without the requisite permission being granted. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #5.1.1.4
    • (Authorization) Channel PATCH API would allow modification of Direct and Group message channels by users who were not a member of those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #5.1.1.3
    • (Authorization) Group message slash command would allow user to create group message channels without the requisite permission being granted. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #5.1.1.2
    • (Authorization) Channel header slash command API could be exploited to set the header of Direct Message and Group Message channels as a user who does not have access to those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #5.1.1.1
    • (Denial of Service) “/invite_people“ slash command could be used to cause a DOS attack. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.10.1, 4.9.4, 4.8.2 (Released 2018-06-04)

  • Security Update #4.10.1.1
    • (Denial of Service) Viewing a channel containing a malformed link could cause the app to freeze. Thanks to Eric Sethna for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.8.1, 4.7.4, 4.6.3 (Released 2018-04-09)

  • Security Update #4.8.1.2
    • (Information Disclosure) A System Admin editing a user would unintentionally send a Websocket event with the user’s email address and other personal information ignoring the privacy settings. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.8.1, 4.7.4 (Released 2018-04-09)

  • Security Update #4.8.1.1
    • (Authorization) The team invite_id was disclosed through email invites, allowing a user to invite themselves repeatedly to a team and invite others. Thanks to Jesús Espino for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.7.3 (Released 2018-03-09)

  • Security Update #4.7.3.1
    • (Denial of Service) Viewing a post containing invalid Latex code would cause an error that crashed the app. Thanks to Jan Wissmann for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.7.0, 4.6.2, 4.5.2 (Released 2018-02-23)

  • Security Update #4.7.0.1
    • (Authorization) SAML responses could be used beyond their expiration dates and maliciously crafted SAML responses could allow users to authenticate as any other user. Thanks to Brad Berkemier for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.5.0, 4.4.5, 4.3.4 (Released 2017-12-16)

  • Security Update #4.5.0.2
    • (Authorization) When configured to allow non-admins to create webhooks (“EnableOnlyAdminIntegrations” set to false), users were able to forge requests that allow them to edit other users’ webhooks. Thanks to Linda Mitchell for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.5.0, 4.4.5, 4.3.4, 4.2.2 (Released 2017-12-16)

  • Security Update #4.5.0.1
    • (Denial of Service) Viewing a post containing @ followed by certain built-in JavaScript field names would cause an error that crashes the app. Thanks to Tobias Gruetzmacher for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.4.3, 4.3.3 (Released 2017-12-05)

  • Security Update #4.4.0.1
    • (Authorization) When using Mattermost as an OAuth 2.0 service provider and allowing non-admin users to manage integrations (“EnableOnlyAdminIntegrations” set to false), an attacker with a user account could forge a request allowing the updating of an OAuth app’s name, description, icon, homepage and callback URLs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.3.0, 4.2.1, 4.1.2 (Released 2017-10-16)

  • Security Update #4.3.0.1
    • (Denial of Service) Fixed an issue where improperly formatted posts could cause the channel to not appear.
  • Security Update #4.3.0.2
    • (Input Validation) Fixed an issue allowing users with System Admin permissions upwards path traversal, arbitrary file creation and boolean file checking on systems using local storage for files. Systems using other file storage methods allowed only arbitrary file creation and boolean file checking.
  • Security Update #4.3.0.3
    • (Cross-site Scripting) Fixed an issue where script could be injected into the allow/deny OAuth 2.0 page.
  • Security Update #4.3.0.4
    • (Authentication) Fixed a vulnerability where any logged in user could revoke another user’s session if they had somehow obtained the session ID.
  • Security Update #4.3.0.5
    • (Cross-site Scripting) Prevented author_link and title_link fields in Slack attachments from containing JavaScript links.
  • Security Update #4.3.0.6
    • (Cross-site Scripting) Prevented JavaScript injection using the goto_location response to a slash command.
  • Security Update #4.3.0.7
    • (Cross-site Scripting) Prevented JavaScript injection using OpenGraph data received from a malicious web page.
  • Security Update #4.3.0.8
    • (Authorization) Prevented code prediction and possible access to user accounts due to weak entropy in authorization code generation when using Mattermost as an OAuth 2.0 Service Provider.
  • Security Update #4.3.0.9
    • (Authorization) Prevented registered OAuth applications from being able to privilege escalate with personal access tokens or by accessing other API endpoints on behalf of the user.
  • Security Update #4.3.10
    • (Input Validation) Prevented users from executing slash commands against a channel that belongs to a team in which they don’t have permission to use slash commands.
  • Security Update #4.3.11
    • (Information Disclosure) Fixed the team creators email being returned to team members with the team object
  • Security Update #4.3.12
    • (Reducing Attack Surface) Prevented potential SQL injection by parameterizing the SQL query used for fetching multiple posts from the database.
  • Security Update #4.3.13
    • (Input Validation) Fixed a vulnerability where users could create fake system message posts via webhooks and slash commands through the v3 and v4 REST API.
  • Security Update #4.3.14
    • (Input Validation) Fixed a vulnerability where action buttons could be crafted to execute certain API requests on behalf of the user that clicks them.

Mattermost v4.2.0, 4.1.1 and 4.0.5 (Released 2017-09-16)

  • Security Update #4.2.0.1
    • (Phishing) Removed the ability for error pages to display custom links. Thanks to Andrey Dyatlov for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.2
    • (Reducing Attack Surface) Fixed an issue where certain fields in email templates could contain unescaped HTML. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.3
    • (Preventing Cross-Site Scripting) Fixed an issue where channel display names containing unescaped HTML would be rendered in posts. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.4
    • (Preventing Unauthorized Access) When using Mattermost as an OAuth 2.0 service provider and allowing non-admins to create integrations, users could register OAuth 2.0 applications as trusted and bypass the resource owner authorization step. As a result, the application could gain access to a logged-in Mattermost user who clicks on a link to that application. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.5
    • (Preventing Unauthorized Access) REST API version 4 endpoints for getting user statuses did not require active sessions. Information about user statuses could then be revealed to unauthenticated users. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.6
    • (Preventing Unauthorized Access) REST API version 3 logging endpoint could allow unauthenticated users to post DEBUG statements to the server logs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.7
    • (Reducing Attack Surface) When using Mattermost as an OAuth 2.0 service provider, a user clicking deny could still be redirected to the provided redirect_uri. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.8
    • (Denial of Service) Fixed an issue where certain posts could cause the browser to freeze. Thanks to Johannes Kastenfrosch for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.2.0.9
    • (Reducing Attack Surface) Increased robustness of per-IP-address rate-limiting. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.1.0, 4.0.4 and 3.10.3 (Released 2017-08-16)

  • Security Update #4.1.0.1
    • (Injection) Fixed a scenario where exporting a compliance report to CSV could allow formulas to run inside other applications, such as Microsoft Excel. Thanks to David Dworken for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.1.0.2
    • (Unauthenticated API Access) Fixed a scenario where team JSON, including team invite IDs, could be retrieved from the server without logging in and using only the team name. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy.an
  • Security Update #4.1.0.3
    • (API Data Leak) Fixed a scenario where team invite IDs could be leaked to logged in users through some team API endpoints. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v4.0.0, 3.10.2 and 3.9.2 (Released 2017-07-16)

  • Security Update #4.0.0.1
    • (Cross-site Request Forgery) Fixed a scenario where servers with CORS enabled could allow CSRF (cross-site request forgery) from unintended origins. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.0.0.2
    • (Cross-site Scripting) Updated server to ensure that uploaded non-image files are always downloaded instead of displayed on a browser. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.0.0.3
    • (Failure to Invalidate Sessions) When using Mattermost as an OAuth 2.0 service provider, deleting a registered OAuth application would not revoke existing sessions in use by that application. New sessions for that application would not be created. Old sessions will still expire after the regular period. Thanks to Lindsay Brock for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.0.0.4
    • (SSO Vulnerability) A user with an account on an SSO OAuth2 provider (e.g. GitLab) could forge a request to claim an existing Mattermost account. Only affects Mattermost servers with GitLab single sign-on or Mattermost Enterprise Edition servers with Office365 or G Suite single sign-on enabled. The attack is not stealthy, victim would be notified of the account change by email and would not be able to log in to their account. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.0.0.5
    • (Cross-site Scripting) Prevented channel header from rendering raw html for users that have post formatting disabled. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #4.0.0.6
    • (Reducing Attack Surface) Updated server to ensure that the password reset email is always sent to the user’s email from the database, not the email entered into the password reset form, to avoid risk of database collation. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.9.0 (Released 2017-05-16)

  • Security Update #3.9.0.1
    • (Reducing Attack Surface) Updated server to enforce encryption and signature verification by default when SAML is enabled.

Mattermost v3.8.2, v3.7.5 and v3.6.7 (Released 2017-04-21)

  • Security Update #3.8.0.1
    • (Preventing Message Spoofing) Fixed a vulnerability where a user can cause email notifications to include arbitrary links. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.8.0.2
    • (Reducing Attack Surface) Updated server to prevent skipping the certificate verification when connecting to an email server over TLS. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.8.0.3
    • (Preventing Remote Code Execution) Updated server to allow only the path for the Mattermost log file instead of the full path and file name. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.8.0.4
    • (Preventing Cross-Site Scripting) Updated client to prevent links on error pages from executing javascript when opening in a new tab. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.8.0.5
    • (Preventing Message Spoofing) Updated client to prevent displaying non-whitelisted external links on error pages. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.8.0.6
    • (Preventing Unauthorized Access to API Endpoint) Updated server to enforce policy permission role restrictions after a server restart. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.8.0.7
    • (Preventing Unauthorized Access to API Endpoint) Updated server to enforce integration permission restrictions correctly based on the system configuration. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.8.1.1
    • (Reducing Attack Surface) Moved to stronger algorithms for hashing email invitations, OAuth, and email verification tokens. Thanks to Carlos Tadeu Panato Junior for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.7.3 and v3.6.5 (Released 2017-03-23)

  • Security Update #3.7.3.1
    • (Preventing Remote Code Execution) Prevent System Administrator from uploading a SAML certificate into an arbitrary file location. Thanks to Martijn Korse for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.7.0 and v3.6.3 (Released 2017-03-16)

  • Security Update #3.7.0.1
    • (Preventing Unauthorized Access to API Endpoint) Updated server to prevent team creation without an authenticated account. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.6.2 (Released 2017-01-31)

  • Security Update #3.6.2.1
    • (Preventing Cross-Site Scripting) Updated the server to honor cross-origin settings for websocket connections. Thanks to Alex Garbutt for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.6.0 and v3.5.2 (Released 2017-01-16)

  • Security Update #3.6.0.1
    • (Preventing Cross-Site Scripting) Updated client to prevent links on error page from executing code. Thanks to Julien Ahrens for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.5.1 (Released 2016-11-23)

  • Security Update #3.5.1.1
    • (Reducing Attack Surface) Fixed a vulnerability where a user can by-pass email verification without needing to receive the email. Thanks to Alyssa Milburn for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.5.1.2
    • (Preventing Cross-Site Scripting and Remote Code Execution) Updated client to prevent certain code files from being executed in the browser window when opened in a file preview. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.3.0 (Released 2016-08-16)

  • Security Update #3.3.0.1
    • (Preventing Message Spoofing) Fixed a vulnerability where a logged in user could use WebSockets to show pop-ups containing messages to users in place of desktop notifications, and also locally modify the appearance of posts. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.2.0 (Released 2016-07-16)

  • Security Update #3.2.0.1
    • (Reducing Information Disclosure) Removed unused personal information from being returned in initial_load API. Thanks to Christer Mjellem Strand and Jonas Arneberg for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.2.0.2
    • (Protecting Against Denial of Service Vulnerability) Fixed functionality that caused certain posts to freeze a reader’s browser. Thanks to Mohammad Razavi and Steve MacQuiddy for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.2.0.3
    • (Reducing Information Disclosure) Fixed an injection vulnerability that could cause certain LDAP fields to be disclosed. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.2.0.4
    • (Reducing Attack Surface) Added protection against brute forcing a password change. Thanks to Ashish Pathak for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.1.0 (Released 2016-06-16)

  • Security Update #3.1.0.1
    • (Preventing Cross-Site Scripting) Updated server to prevent user from inadvertently including malicious content in theme color code values to execute Javascript code under the user’s credentials. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.1.0.2
    • (Reducing Attack Surface) Added rel=’noreferrer noopener’ to all links using target=’_blank’ to reduce potential for cross-site scripting attack.

Mattermost v3.0.2 (Released 2016-05-17)

  • Security Update #3.0.2.1
    • (Reducing Information Disclosure) Remove redundancy of Session ID and Session Token. Session Token limited to allowing login and Session ID limited to revoking sessions. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.0.0 (Released 2016-05-16)

  • Security Update #3.0.0.1
    • (Preventing Cross-Site Scripting) Sanitized hyperlink values specified by System Administrator in Legal and Support Settings to prevent cross-site scripting attack. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.2
    • (Reducing Attack Surface) Limit system to one valid password reset link per user at a time to replace previous system which allowed reuse of password reset links. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.3
    • (Reducing Information Disclosure) Deprecated API previously used by unauthenticated accounts to retrieve data on teams available on the server in order to find team URLs needed for login. This functionality is no longer needed in Mattermost 3.0 where users login by server, rather than by team. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.4
    • (Reducing Attack Surface) SSL flag functionality added to SSL cookie placed on computer by Mattermost server under SSL connection, requiring SSL connection before the cookie’s information can be disclosed. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.5
    • (Reducing Attack Surface) Removed unnecessary APIs for System Admin to change username and email address of LDAP users. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.6
    • (Reducing Information Disclosure) Removed the ability for System Console UI to load credential fields stored in `config.json` in order to reduce information disclosure. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.7
    • (Preventing Cross-Site Scripting) Removed ability to use Mattermost redirect URL to run Javascript. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.8
    • (Reducing Attack Surface) Removed unused export APIs to reduce the number of ways a Team Administrator could access account information. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v2.2.0 (Released 2016-04-16)

  • Security Update #2.2.0.1
    • Updated server to prevent misuse of user authority from information stored in a user’s browser. Thanks to Jim Hebert of Fitbit Security for contributing to this improvement under the Mattermost responsible disclosure policy
  • Security Update #2.2.0.2
    • (Preventing Cross-Site Scripting) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Uchida Ta for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #2.2.0.3
    • (Preventing Cross-Site Scripting and Remote Code Execution) Updated server to prevent files from being automatically opened in a browser window, which could be used to attack the system in multiple ways, including being used against the Mattermost desktop application to run programs on an end user’s computer. Thanks to Andreas Lindh contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v2.1.0 (Released 2016-03-16)

  • Security Update #2.1.0.1
    • (Preventing Cross-Site Request Forgery) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Luke Arntson for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v1.2.0 (Released 2015-11-16)

  • Security Update #1.2.0.1
    • (Protecting Against Denial of Service Vulnerability) Added file upload restrictions to prevent decompression of very large images from eating up very large portions of server memory after upload. Thanks to Paddy Steed for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App

Please download the latest release from Mattermost App Downloads page and see the Desktop Installation Guides for Windows, Mac and Linux.

Security Updates by Release

Mattermost Desktop v4.0.1 (Released 2018-03-28)

  • Security Update #4.0.1.1
    • (Reducing Attack Surface) Node.js was allowed to be re-enabled in some Electron applications that disable it. This vulnerability was found and reported responsibly to the Electron project by Brendan Scarvell of Trustwave SpiderLabs.

Mattermost Desktop v4.0.0 (Released 2018-01-30)

  • Security Update #4.0.0.1
    • (Reducing Attack Surface) Use setPermissionRequestHandler to request permissions for various actions such as video/audio usage and notifications from untrusted origins. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop v3.7.1 (Released 2017-08-30)

  • Security Update #3.7.1.1
    • (Reducing Attack Surface) Revoked trust for certificates issued by the StartCom/WoSign Certificate Authorities (CA). Thanks to Aaron Siegel from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop v3.4.0 (Released 2016-09-22)

  • Security Update #3.4.0.1
    • (Reducing Attack Surface) Added protection against code injection vulnerabilities by overriding and disabling an eval function that allowed strings to be executed as code. Thanks to Kolja Lampe for contributing to this improvement under the Mattermost responsible disclosure policy.

Share this article:

mm
Jason Blais

Jason Blais is a Lead Product Manager at Mattermost, Inc. Prior to joining Mattermost, Jason served as a product manager and analytics manager for SpinPunch, a Y Combinator-backed online gaming startup. Jason has also provided statistical consultation at Stanford University. He is a University of Waterloo alumnus.

Subscribe for articles & tutorials

To get future blog posts to your inbox, subscribe below.