Bug Bounties

Matomo

Powered by: 

Allows bounty splitting: 

Average time to first program response: 37

Average time to bounty awarded null: 338

Average time to report resolved: 361

Handle matomo

Managed program: false

Name: Matomo

Offers bounties: true

Offers swag: true

Response efficiency percentage: 91

Submission state: open

Url: https://hackerone.com/matomo

Website: https://matomo.org

In scope:

  • Asset identifier: 737216887
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Matomo Mobile 2 iOS App Only critical issues compromising the token are in scope.
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: https://github.com/innocraft/
  • Asset type: SOURCE_CODE
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: All other software on the innocraft GitHub organisation
  • Integrity requirements: low
  • Max severity: high



  • Asset identifier: https://github.com/matomo-org
  • Asset type: SOURCE_CODE
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: All other software on the matomo-org GitHub organisation
  • Integrity requirements: low
  • Max severity: high



  • Asset identifier: https://github.com/matomo-org/matomo
  • Asset type: SOURCE_CODE
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: this repository contains the source code of Matomo Analytics
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://matomo.cloud/
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Matomo Analytics Cloud *$username.matomo.cloud* is also in scope, but please limit tests to ones that don't affect the live instance. (no automated tools) You can easily set up your own Matomo instance for extensive testing (see https://matomo.org/docs/installation/)
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://plugins.matomo.org/developer/innocraft
  • Asset type: SOURCE_CODE
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Official plugins by Innocraft
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://plugins.matomo.org/developer/matomo-org
  • Asset type: SOURCE_CODE
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Official plugins by the Matomo team
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: org.piwik.mobile2
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Matomo Mobile 2 Android App Only critical issues compromising the token are in scope.
  • Integrity requirements: low
  • Max severity: medium