[{"id":3728785,"new_policy":"##Latest Updates \n* March 1st, 2024: The list of eligible in-scope plugins has been updated! Community-supported plugins were removed and 2 new plugins were added: the Calls  and the GitLab Plugin.\n \nMattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Third Party Dependencies and Standard Libraries\n\nReports on vulnerabilities whose root cause is in 3rd party dependencies or standard libraries on which our products are built or run on will be considered for a bounty reward only if these conditions apply:\n\n* A working proof of concept exploit is submitted\n* A reasonable time has passed (30 to 90 days based on severity) after the vulnerability in the dependency or its upstream fix has been made public.\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Adversary-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n- Reports about system users having scoped elevated permissions by default when there is a configuration option to restrict it, if needed\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-06T10:37:17.549Z"},{"id":3713469,"new_policy":"##Latest Updates \n* March 1st, 2024: The list of eligible in-scope plugins has been updated! Community-supported plugins were removed and 2 new plugins were added: the Calls  and the GitLab Plugin.\n \nMattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Third Party Dependencies and Standard Libraries\n\nReports on vulnerabilities whose root cause is in 3rd party dependencies or standard libraries on which our products are built or run on will be considered for a bounty reward only if these conditions apply:\n\n* A working proof of concept exploit is submitted\n* A reasonable time has passed (30 to 90 days based on severity) after the vulnerability in the dependency or its upstream fix has been made public.\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Adversary-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n- Reports about system users having scoped elevated permissions by default when there is a configuration option to restrict it, if needed\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-01T09:18:14.336Z"},{"id":3713468,"new_policy":"##Latest Updates \n* March 1st, 2024: The list of eligible plugins has been updated! Community-supported plugins were removed and 2 new plugins were added: the Calls  and the GitLab Plugin.\n \nMattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Third Party Dependencies and Standard Libraries\n\nReports on vulnerabilities whose root cause is in 3rd party dependencies or standard libraries on which our products are built or run on will be considered for a bounty reward only if these conditions apply:\n\n* A working proof of concept exploit is submitted\n* A reasonable time has passed (30 to 90 days based on severity) after the vulnerability in the dependency or its upstream fix has been made public.\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Adversary-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n- Reports about system users having scoped elevated permissions by default when there is a configuration option to restrict it, if needed\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-01T09:15:31.979Z"},{"id":3713467,"new_policy":"Latest Updates \n======================\n* March 1st, 2024: The list of eligible plugins has been updated! Community-supported plugins were removed and 2 new plugins were added: the Calls  and the GitLab Plugin.\n \nMattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Third Party Dependencies and Standard Libraries\n\nReports on vulnerabilities whose root cause is in 3rd party dependencies or standard libraries on which our products are built or run on will be considered for a bounty reward only if these conditions apply:\n\n* A working proof of concept exploit is submitted\n* A reasonable time has passed (30 to 90 days based on severity) after the vulnerability in the dependency or its upstream fix has been made public.\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Adversary-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n- Reports about system users having scoped elevated permissions by default when there is a configuration option to restrict it, if needed\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-01T09:14:55.575Z"},{"id":3683878,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Third Party Dependencies and Standard Libraries\n\nReports on vulnerabilities whose root cause is in 3rd party dependencies or standard libraries on which our products are built or run on will be considered for a bounty reward only if these conditions apply:\n\n* A working proof of concept exploit is submitted\n* A reasonable time has passed (30 to 90 days based on severity) after the vulnerability in the dependency or its upstream fix has been made public.\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Adversary-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n- Reports about system users having scoped elevated permissions by default when there is a configuration option to restrict it, if needed\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-21T13:29:42.449Z"},{"id":3682119,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Third Party Dependencies and Standard Libraries\n\nReports on vulnerabilities whose root cause is in 3rd party dependencies or standard libraries on which our products are built or run on will be considered for a bounty reward only if these conditions apply:\n\n* A working proof of concept exploit is submitted\n* A reasonable time has passed (30 to 90 days based on severity) after the vulnerability in the dependency or its upstream fix has been made public.\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Adversary-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-17T22:49:35.980Z"},{"id":3681820,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Adversary-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-10T08:45:52.665Z"},{"id":3681749,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Man-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-09T12:01:30.196Z"},{"id":3681481,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n### Note: Holiday season 2022\n\nPlease note that a majority of our staff are out of office during the 2022 holiday season, starting from December 22th. Longer response times are to be expected. We are back Monday, January 9th, 2023.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Man-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T22:00:43.709Z"},{"id":3670578,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 5 business days. We'll try to keep you informed throughout the process about the current status and next steps.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Activity that is disruptive to Mattermost will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:\n    - Generating abuse requests\n    - Submission of support, sales or other requests to 3rd party systems\n    - Mass creation of trial and/or free instances on cloud\n    - Mass creation of users, groups, and projects within a single instance\n    - Spam-like or other high volume activity\n    - Submission of any sort of malicious posts on any of our community servers\n- Disruptive activity such as that listed above can be researched freely on your own self-hosted installations of Mattermost products. Mattermost is an open-core company, with the source code available at https://github.com/mattermost/mattermost-server and quick installation instructions available at https://docs.mattermost.com/getting-started/light-install.html. \n- Sending reports from automated tools without verifying them will immediately disqualify the report and will be closed as N/A.\n\n## Accounts\n- You must use your HackerOne email address, YOURHANDLE @ wearehackerone.com, so we can properly identify your account. Doing so may also give you access to new features in your installation before the feature is fully released.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we are most interested in seeing, is available in each asset's description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) 3.1 and score according to the guidelines in the [CVSS calculator](https://www.first.org/cvss/calculator/3.1). \n\nPlease note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n\n## Out of Scope:\nMattermost does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:\n\n- Any violations of our Program Rules\n- Brute force attacks. Example: Guessing a user's password\n- Disclosure of server or software version numbers\n- Server-side-request-forgery (SSRF) that requires system admin privileges, except on a cloud instance\n- Phishing using Unicode homoglyphs or RTLO characters\n- Issues with the SPF, DKIM or DMARC records (except from mattermost.com)\n- CSV/Formula Injection\n- Attacks requiring physical access to the victim's computer\n- Man-in-the-middle attacks\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Issues related to XMLRPC\n- Unconfirmed reports from automated vulnerability scanners\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an input box and then clicking to preview it would be two steps\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n- Denial of service attacks that only affect yourself. Example: A specially crafted request that causes you not to be able to login to your account\n- Enterprise Edition unlock attacks. Example: Modifying the source code to remove Enterprise Edition checks\n\n## Known issues (not worth reporting):\nThe following vulnerability types are already known and won't be fixed. These issues will be closed as Not Applicable:\n\n- It's possible for unauthenticated users to determine which email addresses do and don't have accounts\n- Information disclosure related to cross-team isolation\n- OAuth applications don't yet support scopes and can do anything the authenticated user can do\n- Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public\n- Hyperlink Injection in the emails sent to the users\n- System Admins are allowed to perform any actions on the system\n- Sessions are not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary\n- EXIF metadata not being stripped from images\n- Race conditions that lead to bypassing the limit\n\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-29T07:39:33.626Z"},{"id":3650081,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 3 business days and make a bounty determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nWhen duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we’re most interested in seeing, is available in each asset’s description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Eligible for rewards:\n\n* Cross-site-scripting (XSS), both persistent and reflected\n  * Example: Posts that execute JavaScript on viewer devices.\n* Cross-site-request-forgery (CSRF)\n  * Example: Sites that are able to force users into creating posts or performing other actions.\n* Server-side-request-forgery (SSRF) that can be performed by non-system-admins\n  * Example: Slash commands that POST to localhost or other internal servers.\n* Passive denial of service attacks\n  * Example: An action performed in-app (outside of the system console) that renders the service unusable.\n* Information disclosures (especially those that can be performed by unauthenticated users)\n  * Example: An API request that reveals how many messages are in an unjoined private channel.\n* Other issues of similar or greater security impact.\n\nAttacks that require system admin privileges are far less likely to be rewarded than attacks that can be performed by team admins, normal users, or unauthenticated users.\n\n## Things we want to hear about (but may not be eligible):\n\n* Best practices\n  * Example: Missing headers.\n* Low/no impact information disclosures\n  * Example: OS version, filesystem paths, etc.\n* Client side performance issues\n  * Example: A specific Markdown string causes the clients to slowdown.\n* Other issues that can’t be exploited independently.\n\n## Not eligible for rewards:\n* Active or loud denial of service attacks\n  * Example: Bombarding the server with requests.\n* Brute force attacks\n  * Example: Guessing a user’s password.\n* Non sensitive information disclosure\n  * Example: Mattermost server version or user email address to other users. \n* Server-side-request-forgery (SSRF) that requires system admin privileges.\n* Denial of service attacks that only effect yourself.\n  * Example: A specially crafted request that causes you not to be able to login to your account.\n* Enterprise Edition unlock attacks\n  * Example: Modifying the source code to remove Enterprise Edition checks.\n\n## Known issues (not worth reporting):\n* It’s possible for unauthenticated users to determine which email addresses do and don’t have accounts.\n* Information disclosure related to cross-team isolation.\n* OAuth applications don't yet support scopes and can do anything the authenticated user can do.\n* Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public.\n* Issues related to XMLRPC\n* Abuse via Email Flooding\n* Hyperlink Injection in the emails sent to the users\n* System Admins are allowed to perform any actions on the system\n* Session does not automatically invalidated during email/password change but it's still possible to manually revoke all sessions from the Account Settings → Security → View and Log Out of Active Sessions, if deemed necessary.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-19T08:37:27.502Z"},{"id":3649266,"new_policy":"Mattermost Bug Bounty Program\n======================\n\nMattermost looks forward to working with the security community to find security vulnerabilities in order to keep our community and customers safe. Mattermost will make a best effort to respond to incoming reports within 3 business days and make a bounty determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process.\n\n## Eligibility \u0026 Disclosure Policy\n- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.\n- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nWhen duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n## Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n## Scope\n- Our scopes are listed in the assets section below. More information on each scope, including the types of issues we’re most interested in seeing, is available in each asset’s description.\n\n## Rewards\nOur rewards are based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Mattermost. For example, reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information) may be considered “Low” instead of “Medium” severity.\n\n## Eligible for rewards:\n\n* Cross-site-scripting (XSS), both persistent and reflected\n  * Example: Posts that execute JavaScript on viewer devices.\n* Cross-site-request-forgery (CSRF)\n  * Example: Sites that are able to force users into creating posts or performing other actions.\n* Server-side-request-forgery (SSRF) that can be performed by non-system-admins\n  * Example: Slash commands that POST to localhost or other internal servers.\n* Passive denial of service attacks\n  * Example: An action performed in-app (outside of the system console) that renders the service unusable.\n* Information disclosures (especially those that can be performed by unauthenticated users)\n  * Example: An API request that reveals how many messages are in an unjoined private channel.\n* Other issues of similar or greater security impact.\n\nAttacks that require system admin privileges are far less likely to be rewarded than attacks that can be performed by team admins, normal users, or unauthenticated users.\n\n## Things we want to hear about (but may not be eligible):\n\n* Best practices\n  * Example: Missing headers.\n* Low/no impact information disclosures\n  * Example: OS version, filesystem paths, etc.\n* Client side performance issues\n  * Example: A specific Markdown string causes the clients to slowdown.\n* Other issues that can’t be exploited independently.\n\n## Not eligible for rewards:\n* Active or loud denial of service attacks\n  * Example: Bombarding the server with requests.\n* Brute force attacks\n  * Example: Guessing a user’s password.\n* Non sensitive information disclosure\n  * Example: Mattermost server version or user email address to other users. \n* Server-side-request-forgery (SSRF) that requires system admin privileges.\n* Denial of service attacks that only effect yourself.\n  * Example: A specially crafted request that causes you not to be able to login to your account.\n* Enterprise Edition unlock attacks\n  * Example: Modifying the source code to remove Enterprise Edition checks.\n\n## Known issues (not worth reporting):\n* It’s possible for unauthenticated users to determine which email addresses do and don’t have accounts.\n* Information disclosure related to cross-team isolation.\n* OAuth applications don't yet support scopes and can do anything the authenticated user can do.\n* Since we are an open source company, we have a lot of public documents that might be considered confidential at other companies. For example, our JIRA instance is public.\n\nThank you for helping keep Mattermost and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-01T12:14:50.180Z"}]