We request that you submit any findings related to security vulnerabilities directly to our to HackerOne program. If you prefer, you can also send the details to our security team at security@rocket.chat. Upon receipt, we will send you an email outlining the next steps for disclosure.
Refrain from seeking compensation for reporting vulnerabilities. However, if you wish, we can publicly recognize your responsible disclosure in our WhiteHat Hall of Fame. Once the vulnerability has been addressed, we aim to make the confidential issue public.
Note that it is not permissible to search for vulnerabilities on Rocket.Chat's Community server. As Rocket.Chat is open-source software, we recommend installing a copy on your own and conducting tests against that.
For more information on how to contribute to our security, visit our security contribution guidelines.