Find a bug, get the bounty.
Play an essential role by letting us know of any crucial security issues you may find using Matomo. You can do this by taking part in the Matomo Security Bug Bounty Programme. Designed to encourage security research into Matomo software and to reward those helping to create the safest web analytics platform possible.
Critical issue in Matomo means an issue in our latest official release at: https://builds.matomo.org/latest.zip as installed on a typical server (and possibly using any of our official plugins by Matomo or InnoCraft from the Marketplace). If you can gain remote code execution on the server (i.e. RCE), or if you’re able to delete data with an HTTPS request (i.e. SQL Injection), this may qualify as a critical issue.
Since starting this programme in Jan 2011, we’ve already rewarded more than 60 researchers. These researchers have been crucial in helping to improve code quality and fixing all known security issues in Matomo.
If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Reported security issues must be original and previously unreported
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Please don’t run automated tools against live servers without contacting us first. If you want to test out Matomo you can easily set up your own instance
- Please don’t test contact forms and similar actions that send out emails
- Please don’t sign up for more than one free trial on InnoCraft cloud.
The following issues are outside the scope of our rewards program:
- Path disclosure
- Information disclosure
- Version disclosure
token_authacts as the user’s password and is used to authenticate in API requests (see FAQ).
- Open Directory Listing
- CORS related issues in any of our
- Application Errors on pages
- Crime/beast attack and Lack of HTTP security headers (CSP, X-XSS, etc.)
- Security issues as a result of running a Matomo instance without HTTPS
- Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
- Output from automated scans – please manually verify issues and include a valid proof of concept
- Missing cookie flags on non-sensitive cookies.
- Vulnerabilities affecting users of outdated browsers or platforms.
- Issues related to world writable files in a shared hosting environment
- Race conditions to bypass limits/quotas.
- Blind Server-Side Request Forgery
- HSTS or CSP headers
- SPF, DMARC records missing
- Please make sure that the referenced file is thus also existent in our final releases. Vulnerabilities in code that is not packaged in the Matomo installation zip (such as tests) unless they affect the final release.
Please submit any open source security issues directly to us, do not open security-related issues on public GitHub repositories.
Thank you for helping keep Matomo and our users safe!
How to report a security issue
Assist us by providing as much detail as you can about your environment, Matomo version, plugins used (if relevant), and any other relevant information.
A response from a team member acknowledging receipt of your email, will typically be within 24 hrs. If you don’t receive a response, please know we’re not ignoring you – it’s quite possible your email didn’t make it through a spam filter.
We appreciate your patience in understanding that some bugs will take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming so your input and effort in this matter is warmly received. It’s also crucial we can trust you not to disclose the vulnerability to anyone until a few days after the release of the stable Matomo, and after the advisory is issued.
Security in our development process
Core developers are all committed to achieving the highest standard of security. All Matomo PHP code should adhere to the security checklist. All commits to the Matomo Git repository are reviewed by at least two core developers.
Regular external security reviews do take place, and some of these have contributed a few security suggestions. We have also conducted three paid security reviews (in 2010, 2012 and 2014) conducted by the top php security researchers.
The Matomo project also uses an ever-expanding comprehensive set of automated tests and automated web tests running after each code change on servers as part of its continuous integration and software quality assurance. This complements our software development practices such as code reviews.
We also maintain a list of requests for security improvements.
We hope Matomo is not vulnerable to any critical security bugs and we are committed to ensuring that this remains the case. Thank you for your support!
Improve your Matomo server security and set your privacy options
Installing Matomo and tracking visitors is quick and easy, but once you’ve installed Matomo and started gathering visitor data in your MySQL database, you may be concerned about others accessing your server. How can you make sure it is nearly impossible to hack into your server, or protect your database data from being accessed by external parties?
Make your Matomo server more secure
There are easy steps you can take to ensure that adding Matomo in your existing software environment (CMS, CRM, etc.) will be as safe as possible.
To make your server and database more secure, check out our step by step guide: Secure Matomo server: steps to keep Matomo safe