Security
Pentest template
Annual external penetration test scope plus quarterly internal purple-team rotation template. Rules of engagement, in-scope and out-of-scope surfaces, deliverables, and remediation SLA.
Last updated
Matter contracts an annual external penetration test and runs a quarterly internal purple-team exercise. This page is the scope-of-work template that governs both. Per-engagement instances are filed under apps/docs/content/docs/security/pentest-findings/ (template at _template.md; first applied report at 2026-q2-internal-purple-team.md).
This template is the evidence pointer behind SOC 2 controls CC3.2, CC7.4, A1.3, and A.8.29 in the SOC 2 controls map and ISO 27001 control map.
Annual external pentest
Cadence
- One engagement per calendar year, scheduled in Q3 unless a major architectural change (e.g., new authentication mode, new bounded context, new sub-processor) warrants an out-of-cycle test.
- Re-test within 6 weeks of the initial engagement to verify remediations.
In scope
- The Matter REST API at
api.mattermode.com(live and sandbox modes). - The dashboard at
app.mattermode.com. - The MCP server surface at
mcp.mattermode.com. - The marketing surface at
mattermode.com(limited: XSS, CSRF, supply-chain). - Authentication flows: bearer tokens, mTLS, M2M OAuth client-credentials, SAML, SCIM, step-up authentication.
- Webhook delivery and HMAC signature verification.
- Audit chain integrity and Sigstore Rekor anchoring.
- Mode segregation (live, sandbox, test).
- Per-tenant isolation.
- Secret management: token revocation, KMS rotation, agent-scope policy DSL.
Out of scope
- Customer-owned infrastructure that receives our webhooks.
- Third-party sub-processors (Clerk, Vercel, Neon, Stripe). Their pentest scope is published in their SOC 2 reports.
- Denial-of-service or sustained volumetric attacks. Edge-provider concern.
Rules of engagement
- Testing window — two weeks, off-peak. No marketing campaigns or customer demos scheduled during the window.
- Test environment — a dedicated staging environment with production-scale, PII-scrubbed data. Never production.
- Rate limits — relaxed 10x for the testers' source ASN, which is allow-listed for the window.
- Customer-impact incidents — triaged within 15 minutes; testing pauses until resolved.
- Communication channel — a shared Signal thread between Matter security on-call and the testing firm.
Auditor selection criteria
- Recognised pentest firm with verifiable references in fintech or comparable regulated SaaS.
- Lead tester carries an OSCP, OSWE, or equivalent certification.
- Pricing transparency: fixed-fee for the initial engagement, retest included.
- Willing to operate under our coordinated-disclosure timeline.
Deliverables
The engaged firm provides:
- Findings report — every finding with CVSS 3.1, repro steps, affected surface, recommended remediation. Delivered within two weeks of test window close.
- Executive summary — one-page risk roll-up suitable for board and SOC 2 auditors.
- Re-test report after remediation, included in engagement fee.
Quarterly internal purple team
Cadence
- Four exercises per year, one per quarter. Each exercise runs for one week with a designated lead and two participants from outside the lead's bounded context.
Rotation
Each quarter focuses on a different scope so that over a year the full attack surface is covered:
| Quarter | Focus |
|---|---|
| Q1 | Auth plane — token rotation, scope policy, step-up, OAuth introspection, SAML/SCIM flows. |
| Q2 | Cap-table mutations — equity grant correctness, ownership invariants, cross-tenant boundaries. |
| Q3 | Dissolution saga — multi-step state transitions, idempotency, compensation, audit-chain integrity. |
| Q4 | Mail prompt injection — agent-facing surfaces, MCP tool boundaries, the cross-tenant access matrix. |
Methodology
- Red side — two participants attempt to violate the quarter's invariants using documented and undocumented surfaces. They must operate inside the bug bounty programme's safe-harbour rules.
- Blue side — the bounded-context owner observes, takes notes, and decides whether each attempt was detected.
- Purple sync — daily 30-minute call to share findings and re-aim the next day's work.
Tooling
- A dedicated purple-team org in the sandbox is created for the week.
- Audit-chain visualisation tooling is enabled.
- Anomaly-detection thresholds are tightened for the duration so we can observe whether attacks light up the existing detectors.
Deliverables
The week ends with a written report at apps/docs/content/docs/security/pentest-findings/<year>-q<n>-internal-purple-team.md, filed against _template.md. Findings carry the same CVSS scoring and SLA as external pentest findings.
Remediation SLA
| Severity | SLA |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 60 days |
| Low | 120 days |
SLA breach pages the security on-call, who escalates to the CISO and CTO. Breaches are tracked on the SOC 2 control monitoring dashboard.
Internal preparation checklist
Before each engagement (external or internal):
- Threat model up-to-date (
threat-model.mdx). - All canary credentials rotated.
- Anomaly detection thresholds tightened for the engagement window.
- Test environment seeded with realistic, PII-scrubbed data.
- Bounded-context owners briefed.
- Communication channel established.
- Engagement letter signed (external) or kick-off doc circulated (internal).
Reciprocity
Findings that we are confident affect a sub-processor are reported back to that provider under their own coordinated-disclosure policy. Findings that reveal a class of issue applicable to the broader ecosystem (e.g., a novel attack against the OAuth introspection endpoint) are submitted as a write-up to the relevant working group with the testing firm's permission.
See also
- Bug bounty policy — public-facing reporting channel.
- Vulnerability disclosure protocol — researcher contact protocol.
- Pentest findings template — per-engagement report shape.
- First applied purple-team report — 2026 Q2.
- SOC 2 controls map — CC3.2 / CC7.4 / A1.3 evidence reference.
- Threat model — what we defend against.