Find a bug, get the bounty.
Play an essential role by letting us know of any crucial security issues you may find using Matomo. You can do this by taking part in the Matomo Security Bug Bounty Programme. Designed to encourage security research into Matomo software and to reward those helping to create the safest web analytics platform possible.
The bounty for valid critical security bugs is a $555 (US) cash reward. The bounty for non-critical bugs is $242 (US), paid via PayPal.
Since starting this programme in Jan 2011, we’ve already rewarded more than 25 researchers. These researchers have been crucial in helping to improve code quality and fixing all known security issues in Matomo.
The bounty will be awarded for security bugs that meet the following criteria:
- Security bugs must be original and previously unreported
- Security bugs are present in the most recent supported or release candidate version of Matomo software
- If two or more people report the bug together, the reward will be divided among them
- Important notes: Vulnerabilities such as Path disclosure, Clickjacking, Information disclosure, Open Directory Listing, Application Errors on pages, Crime/beast attack, UserName Listing and enumeration, HttpOnly Cookie Disclosure, do not qualify for the bounty programme. Please refrain from sending us emails with these reports
- Vulnerabilities that apply for the bounty are bugs found in the Matomo Software or in the Matomo Marketplace. If you find any XSS, csrf, remote code exec, sql injection, or any other security issue in the Matomo Platform or in the Marketplace, contact us
How to report a security issue
Assist us by providing as much detail as you can about your environment, Matomo version, plugins used (if relevant), and any other relevant information.
A response from a team member acknowledging receipt of your email, will typically be within 24 hrs. If you don’t receive a response, please know we’re not ignoring you – it’s quite possible your email didn’t make it through a spam filter.
We appreciate your patience in understanding that some bugs will take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming so your input and effort in this matter is warmly received. It’s also crucial we can trust you not to disclose the vulnerability to anyone until a few days after the release of the stable Matomo, and after the advisory is issued.
Security in our development process
Core developers are all committed to achieving the highest standard of security. All Matomo PHP code should adhere to the security checklist. All commits to the Matomo Git repository are reviewed by at least two core developers.
Regular external security reviews do take place, and some of these have contributed a few security suggestions. We have also conducted three paid security reviews (in 2010, 2012 and 2014) conducted by the top php security researchers.
We also maintain a list of requests for security improvements.
We hope Matomo is not vulnerable to any critical security bugs and we are committed to ensuring that this remains the case. Thank you for your support!
Improve your Matomo server security and set your privacy options
Installing Matomo and tracking visitors is quick and easy, but once you’ve installed Matomo and started gathering visitor data in your MySQL database, you may be concerned about others accessing your server. How can you make sure it is nearly impossible to hack into your server, or protect your database data from being accessed by external parties?
Make your Matomo server more secure
There are easy steps you can take to ensure that adding Matomo in your existing software environment (CMS, CRM, etc.) will be as safe as possible.
To make your server and database more secure, check out our step by step guide: Secure Matomo server: steps to keep Matomo safe
We recommend turning on automatic SSL redirection in your Matomo.
Data privacy and visitor privacy
The Matomo project uses an ever-expanding comprehensive set of tests and automated web tests on a self-hosted continuous integration server as part of its software quality assurance. This complements our software development practices such as code reviews.
Please subscribe to the Changelog to be notified of new releases (including security releases).