Security

Find a bug, get the bounty.

Play an essential role by letting us know of any crucial security issues you may find using Matomo. You can do this by taking part in the Matomo Security Bug Bounty Programme. Designed to encourage security research into Matomo software and to reward those helping to create the safest web analytics platform possible.

The bounty for valid critical security bugs is a $777 (US) cash reward. The bounty for non-critical bugs is $333 (US), paid via PayPal. Since starting this programme in Jan 2011, we’ve already rewarded more than 50 researchers. These researchers have been crucial in helping to improve code quality and fixing all known security issues in Matomo.

If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Reported security issues must be original and previously unreported
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Please don’t run automated tools against live servers without contacting us first. If you want to test out Matomo you can easily set up your own instance
  • Please don’t test contact forms and similar actions that send out emails
  • Please don’t sign up for more than one free trial on InnoCraft cloud.
Out-of-scope Vulnerabilities

The following issues are outside the scope of our rewards program:

  • Path disclosure
  • Clickjacking
  • Information disclosure
  • Version disclosure
  • Open Directory Listing
  • Application Errors on pages
  • Crime/beast attack and Lack of HTTP security headers (CSP, X-XSS, etc.)
  • Security issues as a result of running a Matomo instance without HTTPS
  • Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
  • Output from automated scans – please manually verify issues and include a valid proof of concept
  • Missing cookie flags on non-sensitive cookies.
  • Users with super user privileges can post arbitrary JavaScript
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • HSTS or CSP headers
  • Vulnerabilities in code that is not packaged in the Matomo installation zip (such as tests) unless they affect the final release. Please make sure that the referenced file is thus also existent in our final releases.

Please submit any open source security issues directly to us, do not open security-related issues on public GitHub repositories.

Thank you for helping keep Matomo and our users safe!

How to report a security issue

We encourage you to responsibly report issues via our Matomo Bug Bounty Program on HackerOne (or you can also email us at  security@matomo.org)

Assist us by providing as much detail as you can about your environment, Matomo version, plugins used (if relevant), and any other relevant information.

A response from a team member acknowledging receipt of your email, will typically be within 24 hrs. If you don’t receive a response, please know we’re not ignoring you – it’s quite possible your email didn’t make it through a spam filter.

We appreciate your patience in understanding that some bugs will take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming so your input and effort in this matter is warmly received. It’s also crucial we can trust you not to disclose the vulnerability to anyone until a few days after the release of the stable Matomo, and after the advisory is issued.  

As a thank you, your name will be credited in the Changelog and if applicable, the security bug bounty will be paid via PayPal. Thank you for contributing to making the free software world safer.

Security in our development process

Core developers are all committed to achieving the highest standard of security. All Matomo PHP code should adhere to the security checklist. All commits to the Matomo Git repository are reviewed by at least two core developers.

Regular external security reviews do take place, and some of these have contributed a few security suggestions. We have also conducted three paid security reviews (in 2010, 2012 and 2014) conducted by the top php security researchers.

We also maintain a list of requests for security improvements.

We hope Matomo is not vulnerable to any critical security bugs and we are committed to ensuring that this remains the case. Thank you for your support!

Improve your Matomo server security and set your privacy options

Installing Matomo and tracking visitors is quick and easy, but once you’ve installed Matomo and started gathering visitor data in your MySQL database, you may be concerned about others accessing your server. How can you make sure it is nearly impossible to hack into your server, or protect your database data from being accessed by external parties?

Make your Matomo server more secure

There are easy steps you can take to ensure that adding Matomo in your existing software environment (CMS, CRM, etc.) will be as safe as possible.

To make your server and database more secure, check out our step by step guide: Secure Matomo server: steps to keep Matomo safe

We recommend turning on automatic SSL redirection in your Matomo.

Data privacy and visitor privacy

Matomo strives to provide excellent privacy features for you, the Matomo user, but also to the visitors being tracked in your Matomo. See the Matomo and User Privacy for more information.

Security announcements

The Matomo project uses an ever-expanding comprehensive set of tests and automated web tests on a self-hosted continuous integration server as part of its software quality assurance. This complements our software development practices such as code reviews.

Please subscribe to the Changelog to be notified of new releases (including security releases).