Matomo will now pay researchers 5,000 USD for a critical security vulnerability

Matomo Analytics is the leading open-source web analytics solution, designed to give you conclusive insights while respecting your user’s privacy, and keeping your data secure. We’re so proud Matomo is trusted with the analytics data of more than 1 million sites worldwide.

Although we have had an excellent security track record so far, we recognise security is an ongoing challenge and requires constant vigilance. With this announcement we’re showing our commitment to reward those who help us maintain the highest security in Matomo.

New bounty of 5,000 USD for a CRITICAL security issue responsibly disclosed to us

We’re now paying 5,000 USD or 4,700 EUR for each critical vulnerability found, and responsibly disclosed to us. (Previously this bounty was less than 1,000USD.) 

A Critical Issue in Matomo means an issue in our latest official release at: as installed on a typical server (and possibly using any of our official plugins by Matomo or InnoCraft from the Marketplace).

If you can gain remote code execution on the server (i.e. RCE), or if you’re able to delete data with an HTTPS request (i.e. SQL Injection), this may qualify as a Critical Issue. Please report it on Hackerone.

Matomo keeps your data secure

The Matomo team has always been committed to achieving the highest standard of security. For example, Matomo was one of the first open-source projects in the world to launch a public bug bounty in January 2011. Every year many researchers, users and customers review the Matomo source code, and overall we’ve rewarded dozens of researchers over the years for their work in keeping Matomo data safe.

How to make your Matomo server even more secure?

Check out our recommendations in How to configure Matomo for Security

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email