Security Contribution Guidelines

Rocket.Chat is a platform that highly values the security of its users and their data. As such, it encourages the community to contribute by identifying and reporting any potential security issues. This document provides an overview of how you can contribute to enhancing the security of Rocket.Chat.

Our security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch.

We follow Monsible disclosure and will credit researchers when a security issue has been identified and mitigated while adhering to the following specifics:

• You may not use automated tools in your research without our explicit consent. The use of automated tools may result in an investigative action or your IP(s) being blocked.

• You make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.

• You give us reasonable time to respond to your report and carry out remediation.

• We credit the first researcher to report an issue. Additionally, we reserve the right to only acknowledge researchers who discover issues in Rocket.Chat projects or related services if we determine the issue to be of high or critical severity or if there has been continued research or contributions made by the reporter.

• We will credit you with your name and a "no-follow" link to your address (e.g. Twitter or personal website). As a token of our gratitude for your assistance, we also offer an original Rocket.Chat Shirt to every first reporter about a security problem that we have not yet known. We may limit this reward to one item per person, depending on the item's availability. Please refrain from requesting additional compensation for reporting vulnerabilities.

• If you follow these parameters, we will not bring any lawsuit or begin a law enforcement investigation.

What details should you include when reporting a Security Issue?

Please provide as many relevant details as you can. In particular:

• What versions of the software are involved

• What steps can someone follow to go from an initial installation of that software to a point will they see the vulnerability?

• Any patches or steps to mitigate the problem

Rocket.Chat's approach to handling security issues reflects its commitment to maintaining a secure and reliable platform. By encouraging users to report vulnerabilities and rewarding them for their efforts, Rocket.Chat fosters a community that actively contributes to its security. This not only enhances the platform's integrity but also strengthens the trust between Rocket.Chat and its users.