Responsible Disclosure Policy

We kindly request that you submit any findings related to security vulnerabilities directly to our to HackerOne program. If you prefer, you can also send the details to our security team at security@rocket.chat. Upon receipt, we will send you an email outlining the next steps for disclosure.

Please refrain from seeking compensation for reporting vulnerabilities. However, if you wish, we can publicly recognize your responsible disclosure in our WhiteHat Hall of Fame. Once the vulnerability has been addressed, we aim to make the confidential issue public.

Please note that it is not permissible to search for vulnerabilities on Rocket.Chat's Community server. As Rocket.Chat is open-source software, we recommend installing a copy on your own and conducting tests against that. If you wish to perform testing without setting up Rocket.Chat yourself, please reach out to us to arrange access to a staging server.

For more information on how to contribute to our security, please visit our Security Contribution Guidelines