Security Vulnerability Report

If you believe you have discovered a vulnerability in a Mattermost product please report it.

Responsible Disclosure Policy

Safety and data security is of utmost priority for the Mattermost community. If you are a security researcher and have discovered a security vulnerability in our code base, we appreciate your help in disclosing it to us in a responsible manner.

  1. Please contact us to report any security vulnerabilities found in our community test server, any of the open source code bases maintained by Mattermost, or any of our commercial offerings.
  2. Please refrain from requesting compensation for reporting vulnerabilities.
  3. We will acknowledge receipt of your vulnerability report and send you regular updates about our progress.
  4. If your report is reproducible as an exploit and results in a change to the code base or documentation of a Mattermost product, we will–at your option–publicly acknowledge your responsible disclosure.
  5. After a fix is made, we ask security researchers to wait 30 days after a release before announcing the specific details of a vulnerability, and to provide Mattermost with a link to any such announcements. In releases containing security fixes, Mattermost announces an update is available, acknowledges the contributions of security researchers, and it withholds specific details until 30 days after availability to give time for the community to apply updates.

You are not allowed to search for vulnerabilities on any instance of Mattermost hosted by the team, users, or customers with the exception of non-disruptive testing on the community test server mentioned above.

Mattermost is open source software, you can install a copy yourself and test against that. If you want to perform testing that might break things please contact us to arrange access to a private staging server, so you don’t disrupt other people’s work on the community test server.

Many thanks to the security researchers who have responsibly contributed their findings to make the Mattermost code base more secure (listed in the Security Research Hall of Fame below by number of contributions, then alphabetically).

Our Bug Bounty Program

Mattermost is committed to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We’ll try to keep you informed throughout the process about the current status and next steps

To learn more about our bug bounty program and participate, please visit this page.


Security Research Hall of Fame

  • Juho Forsén (75 contributions)
  • Rohitesh Gupta (31 contributions)
  • DoyenSec (23 contributions)
  • vultza (23 contributions)
  • BhaRat (14 contributions)
  • Frans Rosén (12 contributions)
  • Andreas Lindh (11 contributions)
  • Christopher Brown (10 contributions)
  • Harrison Healey (9 contributions)
  • c0rydoras (7 contributions)
  • Leandro Chaves (brdoors3) (7 contributions)
  • Yoni Ramon from Tesla security team (7 contributions)
  • Foobar7 (6 contributions)
  • Joram Wilander (6 contributions)
  • Pyae Phyo (6 contributions)
  • Eva Sarafianou (4 contributions)
  • George Goldberg (4 contributions)
  • Martijn Korse, Jelle Kroon, Ömer Coskun, and Bernardo Maia Rodrigues of the KPN Red Team (4 contributions)
  • Roman Shchekin (4 contributions)
  • Daniel Espino Garcia (3 contributions)
  • Christopher Speller (3 contributions)
  • Daniel Schalla (3 contributions)
  • Jesse Hallam (3 contributions)
  • omar ahmed (3 contributions)
  • Uchida Taishi (3 contributions)
  • Adrian (thiefmaster) (2 contributions)
  • Agniva de Sarker (2 contributions)
  • Bastian Ike (2 contributions)
  • Brad Berkemier (2 contributions)
  • cenman (2 contributions)
  • Csaba Fitzl (2 contributions)
  • Đặng Minh Trí (2 contributions)
  • Daniel Pallinger (2 contributions)
  • Dibyajyoti Dutta (2 contributions)
  • Đỗ Minh Tuấn & Thanh Nguyen Van Tien (2 contributions)
  • Elias Nahum (2 contributions)
  • Eric Sethna (2 contributions)
  • Gian Klug (coderion) (2 contributions)
  • Grzegorz Misiun from ING (2 contributions)
  • Jo Astoreca (2 contributions)
  • Lorenzo Gallegos (2 contributions)
  • Ossi Väänänen (2 contributions)
  • Philippe Antoine (2 contributions)
  • Sebastian Raff (2 contributions)
  • TheSecurityDev (2 contributions)
  • Veshraj Ghimire (2 contributions)
  • whitehattushu (2 contributions)
  • Aaditya Purani
  • Abhisek Datta
  • Adam Pritchard
  • Alex Garbutt
  • Alyssa Milburn
  • Andrea zi0Black Cappa of Shielder
  • Andrey Dyatlov from Wargaming
  • Aryan Rupala
  • Ashish Padelkar
  • Ashish Pathak
  • Ashley Hull
  • Ben Burke
  • Ben Cooke
  • Ben Schumacher
  • Boyd Ansems of the KPN Red Team
  • Bruno Bierbaumer
  • Carlos Tadeu Panato Junior
  • Christer Mjellem Strand
  • Claudio Costa
  • David Dworken
  • Doug Lauder
  • Douglas Banyai
  • Elnerd
  • Erlend Leiknes from mnemonic as
  • Ernst Kloppenburg
  • Fatih ERDOGAN – @ FeCassie
  • Filip Omazić / Cybersecurity engineer at the Croatian national CERT
  • Florian Orben
  • Francisco Correa
  • Hagai Wechsler from WhiteSource
  • Imamul Mursalin
  • lsibilev
  • James Hall from MDSec Labs
  • Jan Wissmann
  • Jason Frerich
  • Jesús Espino
  • Jim Hebert of Fitbit Security
  • Johannes Eichner
  • Jonas Arneberg
  • Jonathan (0xghostwriter)
  • Jorge Ferreira, Wilberto Filho, Julio Fort and Patrick Sukop from Blaze Information Security
  • Julien Ahrens
  • Kolja Lampe
  • Kyriakos Ziakoulis
  • Lakshman Garkini
  • Lev Brouk
  • Linda Mitchell
  • Lindsay Brock
  • Luca Carettoni of Doyensec
  • Luke Arntson
  • Martin Kraft
  • Matt Moses
  • Michael Kochell
  • Mikael Berthe
  • Mohammad Razavi
  • Nathan Lowe, Scott Payne and Jeff Ziegener of Hyland Software
  • Paal Braathen
  • Pabloß
  • Paddy Steed
  • Patrice Kolb of ETH Zurich
  • Paul Harrison
  • Pawan Lal
  • Rohit KC
  • Shailendra Singh Sachan
  • Sheikh Rishad
  • Šimon Čecháček
  • Soroush Dalili of the NCC Group
  • Steve MacQuiddy from Tesla
  • Stylianos Rigas
  • Sunny Kumar
  • Tobias Gruetzmacher
  • Tri
  • Vishwaraj Bhattrai
  • 0AQD
  • aapo
  • Ada
  • akash-hamal
  • AT1ZT0
  • BugSniper
  • claverrat
  • DummyThatMatters
  • edu (enovella)
  • esosnov
  • gee-netics
  • Hack Cats
  • hackit_bharat
  • intrigus
  • jofra
  • lolcabanon
  • mga_bobo
  • mr_anon
  • othman
  • p3rr0
  • ramsakal7582
  • redacted_co
  • RyotaK
  • sbruckmann
  • sekharlee
  • severus
  • SParK
  • themarkib0x0
  • vincentbab
  • wgh_
  • xpx
  • zerodivisi0n
  • Zonduu

See the Mattermost Security Updates page for a list of security updates by release.

Stay up to date with security news from Mattermost

Join our Security Bulletin for fix release notifications:

Email Only