In terms of quality
All Matomo PHP code should adheres to a security checklist and all commits to the Matomo (Piwik) Git repository are reviewed by at least two core developers. Furthermore, the Matomo project uses an ever-expanding comprehensive set of tests and automated web tests on a self-hosted continuous integration server as part of its software quality assurance. This complements our software development practices such as code reviews.
Matomo Security Bug Bounty Program
The Matomo Security Bug Bounty Program is designed to encourage security research in Matomo software and to reward those who help us create the safest web analytics platform. You can also find our Bug Bounty Program on HackerOne.
The bounty for valid critical security bugs is a $555 (US) cash reward. The bounty for non-critical bugs is $242 (US), paid via Paypal.
Since we started this program in Jan 2011, we have already rewarded more than 25 researchers. This program has been very successful in improving code quality and fixing all known security issues in Matomo.
The bounty will be awarded for security bugs that meet the following criteria:
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Security bug must be original and previously unreported
- Share the security issue with us in detail
- Security bug is present in the most recent supported or release candidate version of Matomo software
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Please don’t run automated tools against live servers without contacting us first. If you want to test out Matomo you can easily set up your own instance.
- Please don’t test contact forms and similar actions that send out emails
- Please don’t sign up for more than one free trial on InnoCraft cloud.
We also maintain a list of requests for security improvements.
Applications in Scope
- The Matomo Open Source software
- Official plugins by the Matomo team and Innocraft
- All other software on the matomo-org and innocraft GitHub organisation
- Matomo Analytics Cloud
- Matomo Marketplace Platform
- Matomo Mobile 2 Android and iOS apps
- Only critical issues compromising the token are in scope
The following issues are outside the scope of our rewards program:
- Path disclosure
- Information disclosure
- Version disclosure
- Open Directory Listing
- Application Errors on pages
- Crime/beast attack and Lack of HTTP security headers (CSP, X-XSS, etc.)
- Security issues as a result of running a Matomo instance without HTTPS
- Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
- Output from automated scans – please manually verify issues and include a valid proof of concept
- Missing cookie flags on non-sensitive cookies.
- Vulnerabilities affecting users of outdated browsers or platforms.
- HSTS or CSP headers
- Vulnerabilities in code that is not packaged in the Matomo installation zip (such as tests) unless they affect the final release. Please make sure that the referenced file is thus also existent in our final releases.
- Issues that already have a public GitHub issue (you can find them with the security label)
- Issues that require the attacker to have access to the token_auth
How to Report a Security Issue
Please email security issues to email@example.com or report them on HackerOne. Please provide as much detail as you can about your environment, Matomo version, plugins used (if relevant), and any other relevant information.
You will receive a response from a team member acknowledging receipt of your email, typically within 24 hrs. If you do not receive a response, please do not assume we’re ignoring you – it’s quite possible your email didn’t make it through a spam filter.
We appreciate your patience and input. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming.
Security in our Development Process
Core developers are all committed to achieving the highest standard of security. All Matomo (Piwik) PHP code should adhere to the security checklist. All commits to the Matomo Git repository are reviewed by at least two core developers.
Regular external security reviews do take place, and some of these have contributed a few security suggestions. We have also conducted three paid security reviews (in 2010, 2012 and 2014) conducted by the top php security researchers.
We hope Matomo (Piwik) is not vulnerable to any critical security bugs, and we are committed to ensuring that this is the case. Thank you for your support!
Improve your Matomo Server Security and Set your Privacy Options
Once you have installed Matomo (Piwik) and started gathering visitor data in your MySQL database, you may be concerned about others accessing your server. There are easy steps you can take to ensure that adding Matomo in your existing software environment (CMS, CRM, etc.) will be as safe as possible.
Make your Matomo Server More Secure
Installing Matomo (Piwik) and tracking visitors is quick and easy, but how can you make sure it is nearly impossible to hack into your server, or protect your database data from being accessed by external parties?
To make your server & database more secure, check out our step by step guide: Secure Matomo (Piwik) server: steps to keep Matomo safe
We recommend to Turn on automatic SSL redirection in your Matomo (Piwik).
Data Privacy and Visitor Privacy
Matomo (Piwik) strives to provide excellent Privacy features for you, the Matomo user, but also to the visitors being tracked in your Matomo. See the Matomo & User Privacy for more information.
Please subscribe to the Changelog to be notified of new releases (including security releases).