#About Rocket.Chat

Rocket.Chat is committed to delivering an awesome and secure chat solution for, and aided by, our community. Given the nature of chat, we understand each person using Rocket.Chat has some expectation about their data being secure and private. It's clear how important this is to everyone, and we work to the best of our abilities to ensure your expectations are met. If you believe you've found a security issue in our apps and cloud environment, we encourage you to notify us. Our security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch.

#Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Please do not conduct testing against Rocket.Chat demo or customers server and do not use it to develop Proof-of-Concept code for submitting reports. Please use your own Rocket.Chat installation for screen captures, logs, and videos showing vulnerabilities.

How to make sure that we will triage accept your report

• You must be the first reporter of a vulnerability associated with a participating service.
• You must have personally discovered the vulnerability and you may not report a vulnerability that was discovered by another person.
• You must not be employed by Rocket.Chat or any related entities, currently or in the last 12 months.

Provide as many relevant details as you can, in particular:

1. What versions of software are involved; Make sure to us the last version. 2. What steps someone can follow to go from an initial installation of that software to a point where they see the vulnerability. 3. Any patches or steps to mitigate the problem. 4. Videos reproducing the issue or screenshots of each step.

Here is an example of good report that we received: https://hackerone.com/reports/1446767.

#Our Commitment to Researchers

If you submit a vulnerability report, the Rocket.Chat security team and associated development organizations will use reasonable efforts to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report.
• Investigate and consider your vulnerability report for eligibility under our swags.
• Notify you when the remediation or other action regarding the vulnerability has been implemented.

Our SLA to Researchers:

• First Response: 24 hours.
• Triage: 1 - 2 weeks (Depending of complexity and backlog).
• General Interactions: 2 days.
• Time to close the vulnerability: Currently we’re evaluating our SLA and we will update as soon as we improve it.

#Non-Qualifying Vulnerabilities (Out of Scope)

While researching, we'd like to ask you to refrain from:

• Vulnerabilities in the old version. Please, always test the last version.
• Customers' workplace. Eg: {customer}.rocket.chat.
• Denial of service that only affects yourself.
• Distributed Denial of Service.
• Spamming.
• Unconfirmed reports from automated vulnerability scanners.
• Rocket.Chat Community Server (https://open.rocket.chat).
• Missing Security Headers (eg. HSTS, CSP).
• Missing Secure Flags on Cookies.
• SSL issues (weak ciphers/key-size/BEAST/CRIME).
• CSRF without any security impact.
• Rate Limiting (unless it constitutes a significant risk).
• Email sending checks.
• Social engineering (including phishing) of Rocket.Chat staff or contractors.
• Any physical attempts against Rocket.Chat property or data centers.
• Open Redirects without demonstrating additional security impact.
• Self-XSS without a reasonable attack scenario.
• Admin to Admin or Admin to User XSS. In these cases, a higher privileged user is attempting to attack the lower privileged user. As an admin, such script execution is considered a feature due to the nature of the platform.
• Submissions regarding product deficiencies, as opposed to exploitable vulnerabilities.
• XSS in our cloud file upload (AWS S3).
• Bugs in content/services that are not owned/operated by Rocket.Chat.
• Vulnerabilities affecting users of outdated or unsupported browsers or platforms.
• Disclosure of known public files or directories, (e.g. robots.txt).

#CVE Release Policy

• We only release CVE for our products that resides in our codebase.
• The CVE release is mandatory when the vulnerability is related to our apps.
• The disclosure of the report is mandatory to ask the CVE.
• We will disclosure the report as soon as we release the patches and close the vulnerability.
• We don’t release CVE for dependencies and infra products that are not created by Rocket.Chat.
• The CVE release process can take 30 - 60 days because of hackerone analysis and MITRE analysis.

#Swag Policy

We currently give compensation to our researchers by sending them some really cool swags from Rocket.Chat depending on the severity of the vulnerability. Currently we’re only sending swags to High and Critical vulnerabilities.

#Hall of Fame

For every vulnerability that we release a patch, we will insert your name in our Hall of Fame: https://docs.rocket.chat/contributors/how-can-i-help/security#whitehat-hall-of-fame.

#Thank you

Rocket.Chat is very grateful for your help in responsibly disclosing vulnerabilities and keeping our users safe! If your work helps us improve the security of our service.