Security

Find a bug, get the bounty.

Play an essential role by letting us know of any crucial security issues you may find using Matomo. You can do this by taking part in the Matomo Security Bug Bounty Programme. Designed to encourage security research into Matomo software and to reward those helping to create the safest web analytics platform possible.

The bounty for valid critical security bugs is a $13,000 (US) cash reward.

Critical issue in Matomo means an issue in our latest official release at: https://builds.matomo.org/latest.zip as installed on a typical server (and possibly using any of our official plugins by Matomo or InnoCraft from the Marketplace).

If you can gain remote code execution on the server (i.e. RCE), or if you’re able to delete data with an HTTPS request (i.e. SQL Injection), this may qualify as a critical issue. (Note: If a Remote Code Execution (RCE) is only available when logged in as a Super User, the issue will qualify as “High” and not “Critical”.)

The bounty for other security bugs is up to $1,777 (US), paid via PayPal or via Hackerone.

If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Reported security issues must be original and previously unreported
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Please don’t run automated tools against live servers without contacting us first. If you want to test out Matomo you can easily set up your own instance
  • Please don’t test contact forms and similar actions that send out emails
  • Please don’t sign up for more than one free trial on InnoCraft cloud.

Out-of-scope Vulnerabilities

The following issues are outside the scope of our rewards program:

  • Path disclosure
  • Clickjacking
  • Information disclosure
  • Version disclosure
  • The token_auth acts as the user’s password and is used to authenticate in API requests (see FAQ).
  • Open Directory Listing
  • CORS related issues in any of our *.matomo.org websites.
  • Application Errors on pages
  • Crime/beast attack and Lack of HTTP security headers (CSP, X-XSS, etc.)
  • Security issues as a result of running a Matomo instance without HTTPS
  • Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
  • Output from automated scans – please manually verify issues and include a valid proof of concept
  • Missing cookie flags on non-sensitive cookies.
  • Users with super user privileges can post arbitrary JavaScript
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Issues related to world writable files in a shared hosting environment
  • Race conditions to bypass limits/quotas.
  • Blind Server-Side Request Forgery
  • HSTS or CSP headers
  • SPF, DMARC records missing
  • Vulnerabilities due to an older version of PHP, or MySQL (or MariaDB), or in the web server (Apache/Nginx), or Operating System (Linux/Windows).
  • Vulnerabilities caused by not applying Matomo security best practises
  • Vulnerabilities in third party plugins (not authored by Matomo nor InnoCraft)
  • Please make sure that the referenced file is thus also existent in our final releases. Vulnerabilities in code that is not packaged in the Matomo installation zip (such as tests) unless they affect the final release.
  • CLI is out out scope (including the Matomo console commands)

Please submit any open source security issues directly to us, do not open security-related issues on public GitHub repositories.

Thank you for helping keep Matomo and our users safe!

How to report a security issue

We encourage you to responsibly report issues via our Matomo Bug Bounty Program on HackerOne (or you can also email us at  security@matomo.org)

Assist us by providing as much detail as you can about your environment, Matomo version, plugins used (if relevant), and any other relevant information.

A response from a team member acknowledging receipt of your email, will typically be within 24 hrs. If you don’t receive a response, please know we’re not ignoring you – it’s quite possible your email didn’t make it through a spam filter.

We appreciate your patience in understanding that some bugs will take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming so your input and effort in this matter is warmly received. It’s also crucial we can trust you not to disclose the vulnerability to anyone until a few days after the release of the stable Matomo, and after the advisory is issued.  

As a thank you, your name will be credited in the Changelog and if applicable, the security bug bounty will be paid via PayPal. Thank you for contributing to making the free software world safer.

Security in our development process

Core developers are all committed to achieving the highest standard of security. All Matomo PHP code should adhere to the security checklist. All commits to the Matomo Git repository are reviewed by at least two core developers.

Regular external security reviews do take place, and some of these have contributed a few security suggestions. We have also conducted three paid security reviews (in 2010, 2012 and 2014) conducted by the top php security researchers.

The Matomo project also uses an ever-expanding comprehensive set of automated tests and automated web tests running after each code change on servers as part of its continuous integration and software quality assurance. This complements our software development practices such as code reviews.

We also maintain a list of requests for security improvements.

We hope Matomo is not vulnerable to any critical security bugs and we are committed to ensuring that this remains the case. Thank you for your support!

Improve your Matomo server security and set your privacy options

Installing Matomo and tracking visitors is quick and easy, but once you’ve installed Matomo and started gathering visitor data in your MySQL database, you may be concerned about others accessing your server. How can you make sure it is nearly impossible to hack into your server, or protect your database data from being accessed by external parties?

Make your Matomo server more secure

There are easy steps you can take to ensure that adding Matomo in your existing software environment (CMS, CRM, etc.) will be as safe as possible.

To make your server and database more secure, check out our step by step guide: Secure Matomo server: steps to keep Matomo safe

Data privacy and visitor privacy

Matomo strives to provide excellent privacy features for you, the Matomo user, but also to the visitors being tracked in your Matomo. See the Matomo and User Privacy for more information.

Security announcements

Please subscribe to the Changelog to be notified of new releases (including security releases).