Security
Vulnerability disclosure
Coordinated vulnerability disclosure protocol for Matter. Contact channels, PGP key, response SLAs, disclosure timeline, and credit policy. Mirrors RFC 9116 (security.txt) practices.
Last updated
This page is the protocol security researchers should follow when contacting Matter about a suspected vulnerability. It mirrors the RFC 9116 (security.txt) conventions and is referenced from https://mattermode.com/.well-known/security.txt. For reward-eligible findings, see the bug bounty policy.
Contact
- Primary email —
security@mattermode.com - Encrypted email — PGP-encrypted to the key whose fingerprint is published below.
- Backup contact —
dom@mattermode.com(CEO) andciso@mattermode.com(CISO).
Please prefer email. We do not currently operate a HackerOne, Bugcrowd, or comparable third-party intake — submitting through such a platform delays our response.
PGP key
Fingerprint: TBD-PUBLISHED-AT-FIRST-AUDIT (placeholder)
Key URL: https://mattermode.com/.well-known/security-pgp.asc
Expires: 12 months from publication; rotated annuallyThe fingerprint placeholder is finalised when the key is generated as part of the first SOC 2 Type I audit window. Researchers who need to disclose before then may use TLS-only email to security@mattermode.com.
Languages
We accept reports in English. Translation tools may introduce ambiguity in repro steps — if the reporter prefers a different working language, please include a plain English reproduction summary in addition to the native-language report.
Acknowledgement and response timeline
| Phase | Target |
|---|---|
| Receipt acknowledgement | 24 hours |
| Initial severity assessment | 72 hours |
| Triage decision (accept / dedupe / reject) | 7 days |
| Fix target | per severity, see bug bounty policy |
If you have not received a receipt within 48 hours, please resend to the backup contacts above. Do not publicly disclose during the disclosure window — that is the surest way to slow remediation.
Coordinated disclosure timeline
Matter follows a 90-day coordinated-disclosure timeline by default. The clock starts on the day we acknowledge receipt of the report. The timeline is:
| Day | Activity |
|---|---|
| 0 | Receipt acknowledged. Reporter assigned a tracking ID. |
| 7 | Triage decision communicated. |
| 60 | Status update sent to the reporter, regardless of fix state. |
| 90 | Public disclosure permitted. Coordinated draft shared with reporter. |
Extensions. If the underlying issue requires longer than 90 days (e.g., coordinated upstream fix, complex migration), we will request an extension in writing with a justification. We never request more than 180 days. Acceleration. If a fix lands sooner and the reporter agrees, the disclosure can be brought forward.
Credit policy
Researchers may choose:
- Public credit — name or handle published in the bug bounty Hall of Fame.
- Anonymous — no credit, no public attribution.
- Coordinated joint advisory — Matter and the reporter publish a joint write-up after the disclosure window closes.
Credit decisions are made by the reporter and recorded at triage.
Safe harbour
The safe-harbour section of the bug bounty policy applies to all good-faith disclosures under this protocol, even if the finding does not qualify for a reward.
What constitutes a vulnerability
For the purposes of this protocol, a vulnerability is any flaw that, if exploited, would:
- Disclose data the requestor is not authorised to see (cross-tenant, cross-mode, cross-stakeholder).
- Allow an unauthenticated or under-authenticated request to mutate state.
- Allow an attacker to bypass cryptographic controls, including signature verification on webhooks or the audit chain.
- Result in privilege escalation across the scope DSL.
- Expose credentials, KMS material, or secrets at rest or in transit.
- Allow injection (SQL, prompt, command, template) into a service surface.
- Bypass rate limits in a way that enables a class of attack rather than a single misuse.
Findings that fall outside this list may still be welcomed but will be assessed case-by-case.
What does not qualify
- Theoretical findings unsupported by a proof of concept.
- Best-practice deviations without an exploitable consequence (e.g., missing security header on a static-asset CDN).
- Information disclosure that is by design (e.g., the OpenAPI spec at
apps/docs/api-reference/openapi.yaml). - Findings against staging or sandbox modes that depend on attacker-controlled test data.
- Findings that require physical access to a developer laptop.
Reporting third-party vulnerabilities
If the finding is in a sub-processor (Clerk, Vercel, Neon, Stripe), please report it directly to them. We are happy to coordinate the relationship — copy security@mattermode.com so we can follow up internally.
Updates to this protocol
This page is reviewed annually. Material changes (key rotation, contact change, timeline change) are announced via mattermode.com/security and via update to security.txt.
See also
- Bug bounty policy — reward tiers and safe-harbour text.
- SOC 2 controls map — CC9.1 evidence reference.
- Pentest template — for engagements outside the bounty programme.