Security
Bug bounty policy
Matter's bug bounty programme. In-scope assets, report format, triage SLA, tiered rewards, safe-harbour language, exclusions, and coordinated-disclosure timeline.
Last updated
Matter runs a public bug bounty programme. Security researchers who find genuine vulnerabilities in our production systems are rewarded according to the tiered table below. This page is the canonical, public-facing statement of the programme. Submissions follow the vulnerability disclosure protocol.
Scope
In scope
api.mattermode.com— the production REST API surface.app.mattermode.com— the dashboard.mcp.mattermode.com— the MCP tool surface.mattermode.com— the marketing surface (XSS, CSRF, supply-chain only).docs.mattermode.com— the documentation site.- Authentication flows: bearer tokens, mTLS, M2M OAuth client-credentials, SAML, SCIM, step-up authentication.
- Webhook signature verification.
- Audit chain integrity and Rekor anchoring.
- Mode segregation (live, sandbox, test).
- Per-tenant isolation.
Out of scope
- Customer-owned infrastructure that receives our webhooks.
- Third-party sub-processors (Clerk, Vercel, Neon, Stripe). Report directly to them.
- Denial-of-service or sustained volumetric attacks. Edge-provider concern.
- Social engineering of Matter employees, contractors, or customers.
- Physical attacks on Matter staff or property.
- Findings that require a rooted, jail-broken, or otherwise compromised endpoint.
- Findings that only apply to outdated browser versions (we support the last two major releases of evergreen browsers).
- Reports generated solely by automated scanners without manual verification.
Report format
Send reports to security@mattermode.com, encrypted with the PGP key published at vulnerability disclosure. Include:
- Title — one-line summary.
- Severity — your initial assessment using CVSS 3.1.
- Affected surface — domain, route, endpoint, or component.
- Steps to reproduce — exact commands, payloads, account context.
- Observed impact — what the vulnerability lets an attacker do.
- Suggested remediation — optional but appreciated.
- Contact — preferred name for the Hall of Fame (opt-in).
Triage SLA
| Severity | First response | Triage decision | Initial fix target |
|---|---|---|---|
| Critical | 4 hours | 24 hours | 7 days |
| High | 24 hours | 3 days | 30 days |
| Medium | 3 days | 7 days | 60 days |
| Low | 7 days | 14 days | 120 days |
First response is an acknowledgement, not necessarily a verdict. Triage decision is the verdict — accepted, deduplicated, or rejected with reasoning.
Reward table
Rewards are denominated in USD and paid by bank transfer or BTC at the reporter's choice once the finding is fixed and (where appropriate) disclosed. A single report may earn at most one tier — chained findings are paid at the highest tier present in the chain.
| Severity | Reward |
|---|---|
| Critical | $5,000 |
| High | $2,000 |
| Medium | $500 |
| Low | $100 |
Severity is determined by Matter's security team using CVSS 3.1 plus context (data exposure, blast radius, prerequisites). The team commits in good faith to fair grading and will explain any downgrade from the reporter's initial assessment.
Safe harbour
Matter authorises good-faith security research conducted under this policy. If your testing is consistent with this policy, Matter will:
- Not pursue civil action against you.
- Not refer your activity to law enforcement.
- Treat your activity as authorised under the Computer Fraud and Abuse Act and equivalent statutes in other jurisdictions.
- Work with you to understand and resolve the issue.
Good-faith research means: you avoided privacy violations, destruction of data, and interruption or degradation of our service; you tested only against accounts you own or with the explicit permission of the account holder; you provided us a reasonable disclosure timeline.
If at any point you are uncertain whether a specific action is consistent with this policy, contact security@mattermode.com and ask first.
Hall of Fame
With the reporter's consent, we publish a public acknowledgement at mattermode.com/security/hall-of-fame. Each entry includes the reporter's chosen handle, the calendar quarter of the finding, and (where the reporter agrees) a one-line description of the class of issue. Reporters who prefer to remain anonymous can simply opt out.
Coordinated disclosure
We follow a 90-day coordinated-disclosure timeline:
- Day 0 — report received.
- Day 0–7 — triage and severity grading.
- Day 7–60 — remediation in progress, regular updates to reporter.
- Day 60–90 — fix deployed, customer-facing comms prepared if material.
- Day 90 — public disclosure permitted, coordinated draft shared with reporter.
If a fix lands earlier than day 90 and the reporter agrees, public disclosure can be brought forward. If a fix needs longer than 90 days (e.g., requires a coordinated industry response), we negotiate an extension in writing with the reporter.
We will not request a disclosure embargo longer than 180 days under any circumstances.
What we will not do
- Sue, threaten, or otherwise retaliate against good-faith researchers.
- Reduce a reward after the fact for reasons unrelated to the finding.
- Disclose researcher identity without explicit consent.
- Use bug bounty submissions to seed marketing claims.
Programme governance
The programme is owned by the CISO. Quarterly metrics — submission volume, triage SLA hit rate, payout total, average remediation time — are published in the engineering update at the end of each quarter and included as evidence in our SOC 2 controls map under CC9.1.
See also
- Vulnerability disclosure protocol — how to contact us and key fingerprints.
- Pentest template — for engagements outside the bounty programme.
- SOC 2 controls map — CC9.1 evidence reference.
- Threat model — what we defend against.