kgess-mirror/matrix.org
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix.org.git synced 2026-01-11 20:07:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Zola footer pages (#1537)

Browse source 
* Add security disclosure policy

* Add hall-of-fame

* Make spellcheck happy

* Make findings stand out more in the hall of fame

* Don't say the same think twice

* Add legal section

* Add contact page

* Call the security hall of fame consistently

* Fix legal markdown

* I said consistently

* Address last concerns
This commit is contained in:
Thibault Martin 2022-11-02 11:23:22 +01:00 committed by GitHub
parent a657744960
commit ca2e32a201
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 1804 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
content/contact.md Normal file
View file

@ -0,0 +1,15 @@
+++
title = "Contact"
+++
The best place to get information and connect is on Matrix itself - starting in
[Matrix HQ (#matrix:matrix.org)](https://matrix.to/#/#matrix:matrix.org).
However, if you prefer email, or have a need to be more direct:
- [abuse@matrix.org]("mailto:abuse@matrix.org") if you need to urgently report
abuse on the platform
- [support@matrix.org](mailto:support@matrix.org) for more general support and
commercial queries
- [security@matrix.org](mailto:security@matrix.org) to disclose security issues.
Also see our [Security Disclosure Policy](/security-disclosure-policy/)

5
content/legal/_index.md Normal file
View file

@ -0,0 +1,5 @@
+++
title = "Legal"
template = "legal.html"
+++

69
content/legal/code-of-conduct.md Normal file
View file

@ -0,0 +1,69 @@
+++
title = "Matrix Code of Conduct"
+++
This code of conduct outlines our expectations for participants within the Matrix community, as well as steps for reporting unacceptable behaviour. We are committed to providing a welcoming and inspiring community for all, and expect our code of conduct to be honoured. Anyone who violates this code of conduct may be banned from the community.
This applies to conversation in the any room in the matrix community ([+matrix:matrix.org](https://matrix.to/#/+matrix:matrix.org)) and commits and comments relating to any project in the [matrix-org](https://github.com/matrix-org) github space.
Our open source community strives to:
* **Be friendly and patient.**
* **Be welcoming**: We strive to be a community that welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, colour, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.
* **Be considerate**: Your work will be used by other people, and you in turn will depend on the work of others. Any decision you take will affect users and colleagues, and you should take those consequences into account when making decisions. Remember that we're a world-wide community, so you might not be communicating in someone else's primary language.
* **Be respectful**: Not all of us will agree all the time, but disagreement is no excuse for poor behaviour and poor manners. We might all experience some frustration now and then, but we cannot allow that frustration to turn into a personal attack. Its important to remember that a community where people feel uncomfortable or threatened is not a productive one.
* **Be careful in the words that we choose**: Be kind to others. Do not insult or put down other participants. Harassment and other exclusionary behaviour aren't acceptable.
* **Try to understand why we disagree**: Disagreements, both social and technical, happen all the time. It is important that we resolve disagreements and differing views constructively. Remember that were different. The strength of our community comes from its diversity, people from a wide range of backgrounds. Different people have different perspectives on issues. Being unable to understand why someone holds a viewpoint doesnt mean that theyre wrong. Dont forget that it is human to err and blaming each other doesnt get us anywhere. Instead, focus on helping to resolve issues and learning from mistakes.
## Definitions
Harassment includes, but is not limited to:
- Offensive comments related to gender, gender identity and expression, sexual orientation, disability, mental illness, neuro(a)typicality, physical appearance, body size, race, age, regional discrimination, political or religious affiliation
- Unwelcome comments regarding a persons lifestyle choices and practices, including those related to food, health, parenting, drugs, and employment
- Deliberate misgendering. This includes deadnaming or persistently using a pronoun that does not correctly reflect a person's gender identity. You must address people by the name they give you when not addressing them by their username or handle
- Physical contact and simulated physical contact (eg, textual descriptions like “*hug*” or “*backrub*”) without consent or after a request to stop
- Threats of violence, both physical and psychological
- Incitement of violence towards any individual, including encouraging a person to commit suicide or to engage in self-harm
- Deliberate intimidation
- Stalking or following
- Harassing photography or recording, including logging online activity for harassment purposes
- Sustained disruption of discussion
- Unwelcome sexual attention, including gratuitous or off-topic sexual images or behaviour
- Pattern of inappropriate social contact, such as requesting/assuming inappropriate levels of intimacy with others
- Continued one-on-one communication after requests to cease
- Deliberate “outing” of any aspect of a persons identity without their consent except as necessary to protect others from intentional abuse
- Publication of non-harassing private communication
We will not act on complaints regarding:
- Good faith and non-malicious conduct whose object is to ameliorate the conditions of disadvantaged individuals or groups including those that are disadvantaged because of race, national or ethnic origin, colour, religion, sex, age or mental or physical disability.
- Reasonable communication of boundaries, such as “leave me alone,” “go away,” or “Im not discussing this with you”
- Refusal to explain or debate social justice concepts
- Communicating in a tone you dont find congenial
- Criticizing racist, sexist, cissexist, or otherwise oppressive behaviour or assumptions
### Diversity Statement
We encourage everyone to participate and are committed to building a community for all. Although we will fail at times, we seek to treat everyone both as fairly and equally as possible. Whenever a participant has made a mistake, we expect them to take responsibility for it. If someone has been harmed or offended, it is our responsibility to listen carefully and respectfully, and do our best to right the wrong.
Although this list cannot be exhaustive, we explicitly honour diversity in age, gender, gender identity or expression, culture, ethnicity, language, national origin, political beliefs, profession, race, religion, sexual orientation, socioeconomic status, and technical ability. We will not tolerate discrimination based on any of the protected
characteristics above, including participants with disabilities.
Matrix.org and The Matrix.org Foundation takes a position on acceptable behaviour for its community as defined by the CoC, and we will not endorse behaviour which is counter to that. Matrix.org does not have a mandate to promote content which is associated with an entity whose position is incompatible with this CoC.
### Reporting Issues
If you experience or witness unacceptable behaviour — or have any other concerns — please report it by contacting us via abuse@matrix.org. All reports will be handled with discretion. In your report please include:
- Your contact information.
- Names (usernames and nicks, real names, and/or pseudonyms) of any individuals involved. If there are additional witnesses, please
include them as well. Your account of what occurred, and if you believe the incident is ongoing.
- The date and time of the incident (or start of incident).
- Any additional information that may be helpful.
After filing a report, a representative will contact you personally, review the incident, follow up with any additional questions, and make a decision as to how to respond. If the person who is harassing you is part of the response team, they will recuse themselves from handling your incident. If the complaint originates from a member of the response team, it will be handled by a different member of the response team. We will respect confidentiality requests for the purpose of protecting victims of abuse.
### Attribution & Acknowledgements
This Code of Conduct is based on the [TODO Group](https://twitter.com/todogroup)'s [Open Code of Conduct template](https://github.com/todogroup/opencodeofconduct), but with some modifications.

103
content/legal/copyright-notice.md Normal file
View file

@ -0,0 +1,103 @@
+++
title = "Matrix.org Copyright Notice"
+++
Where you read *New Vector*, *New Vector Ltd.* or *we *or* us* below, it refers
to the company we created in July 2017 to hire the Matrix core team and support
Matrixs development and so run the matrix.org homeserver: New Vector Ltd., and
its French subsidiary: New Vector SARL and their agents.
When you read the matrix.org homeserver or the Service below, it refers to
the services made available at **matrix.org** which store your account and
personal conversation history, provide services such as bots and bridges, and
communicate via the open Matrix decentralised communication protocol with the
public Matrix Network.
If the terms of this copyright notice are not acceptable, please use a Matrix
server provided by someone else!
## Reporting Claims of Copyright Infringement
We take claims of copyright infringement seriously. This policy deals with what
to do if you believe that any user contributions violate your copyright. It is
our policy to terminate the user accounts of repeat infringers.
We will respond to notices of alleged copyright infringement that comply with
applicable law. If you believe any materials accessible via the Service
infringe your copyright, you may request removal of those materials (or access
to them) from the Service by submitting written notification to our Copyright
Agent (designated below). In accordance with the Online Copyright Infringement
Liability Limitation Act of the Digital Millennium Copyright Act (17 U.S.C. §
512) ("DMCA"), the written notice (the “DMCA Notice”) must include
substantially the following:
- Your physical or electronic signature.
- Identification of the copyrighted work you believe to have been infringed or,
if the claim involves multiple works on the Website or in connection with the
Services, a representative list of such works.
- Identification of the material you believe to be infringing in a sufficiently
precise manner to allow us to locate that material.
- Adequate information by which we can contact you (including your name, postal
address, telephone number and, if available, email address).
- A statement that you have a good faith belief that use of the copyrighted
material is not authorized by the copyright owner, its agent or the law.
- A statement that the information in the written notice is accurate.
- A statement, under penalty of perjury, that you are authorized to act on
behalf of the copyright owner.
Our designated Copyright Agent to receive DMCA Notices is:
Matthew Hodgson\
10 Queen Street Place\
London\
United Kingdom\
EC4R 1AG
By email: support@matrix.org
If you fail to comply with all of the requirements of Section 512(c)(3) of the
DMCA, your DMCA Notice may not be effective.
Please be aware that if you knowingly materially misrepresent that material or
activity on the Website or in connection with the Services is infringing your
copyright, you may be held liable for damages (including costs and attorneys'
fees) under Section 512(f) of the DMCA.
### Counter-notification procedures
If you believe that material you posted on the Website or using the Services was
removed or access to it was disabled by mistake or misidentification, you may
file a counter-notification with us (a "Counter-Notice") by submitting written
notification to our Copyright Agent. Pursuant to the DMCA, the Counter-Notice
must include substantially the following:
- Your physical or electronic signature.
- An identification of the material that has been removed or to which access has
been disabled and the location at which the material appeared before it was
removed or access disabled.
- Adequate information by which we can contact you (including your name, postal
address, telephone number and, if available, email address).
- A statement under penalty of perjury by you that you have a good faith belief
that the material identified above was removed or disabled as a result of a
mistake or misidentification of the material to be removed or disabled.
- A statement that you will consent to the jurisdiction of the Federal District
Court for the judicial district in which your address is located (or if you
reside outside the United States for any judicial district in which the
Website or Services may be found) and that you will accept service from the
person (or an agent of that person) who provided the Website or Services with
the complaint at issue.
The DMCA allows us to restore the removed content if the party filing the
original DMCA Notice does not file a court action against you within ten
business days of receiving the copy of your Counter-Notice.
Please be aware that if you knowingly materially misrepresent that material or
activity on the Website or provided in connection with the Services was removed
or disabled by mistake or misidentification, you may be held liable for
damages (including costs and attorneys' fees) under Section 512(f) of the
DMCA.
### Repeat infringers
It is our policy in appropriate circumstances to disable and/or terminate the
accounts of users who are repeat infringers.

582
content/legal/privacy-notice.md Normal file
View file

@ -0,0 +1,582 @@
+++
title = "Matrix.org Homeserver Privacy Notice"
+++
Please read this document carefully before accessing or using this service!
## 1. Introduction
### 1.1 English, Not Legalese
Most Privacy Policy documents are unreadable. They are written by lawyers and
for lawyers, and in our opinion are not very effective.
Data protection and privacy are important, and we want you to understand the
issues involved. For that reason we decided to use plain English instead as
much as possible, to make our terms as clear as possible.
When you read 'the Matrix.org homeserver' or 'the Service' below, it refers to
the services made available at **[https://matrix.org](https://matrix.org)**
which store your account and personal conversation history, provide services
such as bots and bridges, and communicate via the open Matrix decentralised
communication protocol with the public Matrix Network.
The public Matrix Network is a *decentralised* and *openly federated*
communication network. This means that user messages are replicated on each
participant's server and messages posted to a room are visible to all
participants including in some cases any new joiners. This is further explained
at 2.3.
Where you read *The Matrix.org Foundation C.I.C.*, *The Matrix.org Foundation*,
or *The Foundation*, it refers to the Community Interest Company incorporated
on 29 October 2018 to be the neutral custodian of the Matrix protocol: The
Matrix Foundation C.I.C., and their agents.
Where you read *Element* (trading name of New Vector Ltd. and New Vector
SARL), *Element.io*, or *we*, *our*, or *us* below, it refers to the company we
created in July 2017 to hire the Matrix core team and support Matrix's
development and so run the Matrix.org homeserver: New Vector Ltd., and its
French subsidiary: New Vector SARL and their agents.
**The Matrix protocol is licensed by the Matrix Foundation which makes it
available to third parties who set up their own homeserver. This privacy
policy does not apply to such Matrix servers run by anyone else - Matrix is
an open network like the Web and this agreement only applies to the server
(Matrix.org) provided by Element.**
Matrix.org is the Data Controller for the Service. We can be contacted as per
the details below:
Email: dpo@matrix.org\
Postal address:\
The Matrix.org Foundation\
c/o New Vector Ltd\
10 Queen Street Place\
London\
United Kingdom\
EC4R 1AG
Should you have other questions or concerns about this document, please send us an email at dpo@matrix.org.
### 1.2 This Is a Living Document
This is a living document. With your help, we want to make it the best in the
industry.
If you read something that rubs you the wrong way, or if you think of something
that should be added, please get in touch! We're all ears! Email dpo@matrix.org
and we'll chat.
We don't amend this document for any specific users or use case, but if your
proposed changes apply to all of our users, we'll be happy to update it for
everyone. Scroll to the bottom to see the history so far.
We will likely improve this document over time and we will take steps to inform
our users about any updates. By continuing to use the Service, you will
implicitly accept the changes we make. If updates to this document are ever
associated with significant changes to the way we collect our process your
data, we will promptly notify you.
Your access and use of the Service is always subject to the most current version
of this document.
## 2. Access to Your Data / Privacy Policy
### 2.1 What is the legal basis for processing my data and how does this affect my rights under GDPR (General Data Protection Regulation)?
#### 2.1.1 Legal Basis for Processing
Element processes your data under a [Legitimate Interest](https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/)
basis of processing, to provide our Service to you in an efficient and secure
manner and to ensure the legal compliance and proper administration of our
business. Essentially, this means that we process your data only as necessary
to deliver the Service and for internal administration purposes, and in a
manner that you understand and expect. We also carry out processing that is
necessary to provide our Service to you under our Matrix.org Homeserver Terms
and Conditions and processing that is necessary to comply with our legal
obligations. Where consent is required by law in relation to certain
processing, we will ask for your consent.
We process your information for the purposes of providing our decentralised,
openly-federated and end-to-end encrypted communication Service, getting in
touch with you, responding to your requests, working with our suppliers to
deliver the Service and enabling its features, ensuring the security of our
Service, developing, fixing and improving our Service, administering our
business and complying with the law.
The nature of the Service and its implementation results in some caveats
concerning this processing, particularly in terms of GDPR Article 17 *Right to
Erasure (Right to be Forgotten)*. We believe these caveats (discussed in the
section below in detail) are in line with the broader societal interests served
by providing the Service.
In situations where the interests of the individual appear to be in conflict
with the broader societal interests, we will seek to reconcile those
differences guided by our policy.
#### 2.1.2 Your Rights as Data Subject
You have rights in relation to the personal data we hold about you. Some of
these only apply in certain circumstances. Some of these rights are explored in
more detail elsewhere in this document. For completeness, your rights under
GDPR are:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
We may ask for proof of identity before responding to your request. For more
details about these rights, please see [the guidance provided by the ICO](https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/).
If you have any questions or are unsure how to exercise your rights, please
contact us at dpo@matrix.org.
#### 2.1.3 Right to Erasure
You can request that we forget your copy of messages and files by instructing us
to deactivate your account (using a Matrix client such as the Element chat app)
and selecting the option instructing us to forget your messages. What happens
next depends on who else had access to the messages and files you had shared.
Any messages or files that were only accessible by your account will be deleted
from our servers within 30 days.
Where you shared messages or files with another registered Matrix user, that
user will still have access to their copy of those messages or files. Apart
from state events (see 2.1.3.1 below), these messages and files will *not* be
shared with any unregistered or new users who view the room after we have
processed your request to be forgotten.
State events are processed differently to non-state events. State events are
used by the Service to record, amongst other things, your membership in a room,
the configuration of room settings, your changing of another user's power level
and your banning a user from a room. Were we to erase these state events from a
room entirely, it would be very damaging to other users' experience of the
room, causing banned users to become unbanned, revoking legitimate
administrator privileges, etc. We therefore share state events sent by your
account with all non-essential data removed ('redacted'), even after we have
processed your request to be forgotten. This means that your username will
continue to be publicly associated with rooms in which you have participated,
even after we have processed your request to be forgotten. We are actively
[working on a solution to work around this restriction](https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix/#mxid_erasure)
and allow you to be fully forgotten while maintaining a high quality experience
for other users. If this is not acceptable to you, please do not use the
Service.
##### 2.1.3.1 Exceptional Erasure
As described above, erasing a state event may result in our needing to erase the
entire conversation at the same time. Deciding whether to take this drastic
step will require a balancing exercise to be carried out at the time of the
request, and will depend on:
- the nature of the Personal Data that the user is requesting to be erased;
- how many other users would have their fundamental rights and freedoms put at
risk if the Right to Erasure were to be exercised
- to what degree these other users would have their fundamental rights and
freedoms put at risk if the Right to Erasure were to be exercised
The Personal Data contained in a state event is usually limited to the username,
the timestamp and the conversation in which the state event was issued. State
events only represent that a user participated in a given conversation at a
given time. It is rare that this data is sensitive enough to warrant its
erasure given the drastic impact this will have on other users.
Each case will be decided based on the factors listed above. In most situations
we will not erase state events. In extreme situations, where not erasing state
events will place people at material risk of harm, we may choose to erase state
events or remove the entire conversation.
#### 2.1.3 Data Portability
Under GDPR you have a right to request a copy of your data in a
commonly-accepted format. If you would like a copy of your data, please send a
request over Matrix to [dpo@matrix.org](https://matrix.to/#/@gdpr:matrix.org).
In the future we will provide a better interface for this!
### 2.2 What Information Do You Collect About Me and Why?
**The information we collect is purely for the purpose of providing your
communication service via Matrix. We do *not* profile users or their data on
the Service.**
Be aware that while we do not profile users on the Service, third party Matrix
clients may gather usage data. The Element app (the Matrix client provided by
Element) optionally gathers opt-in anonymised usage data in order to improve
the app. This data is retained for not longer than 13 months. For more details
on how your data is processed by Element, please review its [privacy policy](https://element.io/privacy).
#### 2.2.1 Information you provide to us:
We collect information about you when you input it into the Service or otherwise
provide it directly to us.
##### 2.2.1.1 Account and Profile Information
We collect information about you when you register for an account. This
information is kept to a minimum on purpose, and is restricted to:
- Username
- Password
- Display Name (if you choose to provide one)
- Your email address (which we may mandate to mitigate abuse)
- Your verified telephone number (if you choose to provide it)
Your username and password is used to authenticate your access to the Service
and to uniquely identify you within the Service.
Your password is stored until you change it or your account is deactivated
(see 2.5 for details on how passwords are handled securely). Your username is
stored indefinitely to avoid account recycling.
Your email address is used for account verification purposes. You can delete
your email from your account after you have registered and verified, if you so
wish. Alternatively, your email address may be used for the purposes described
below:
- We will also use your email address to let you reset your password if you
forget it, and to optionally send you notifications about missed messages
from users trying to contact you on Matrix;
- We may also send you infrequent urgent messages about platform updates.
##### 2.2.1.2 Content you provide through using the Service
We store and distribute the messages and files you share using the Service
(and across the wider Matrix ecosystem via federation) as described by the
Matrix protocol and according to the access rules configured within the
system. **Storing and sharing this content is the reason the Service exists.**
This content includes any information about yourself that you choose to share.
##### 2.2.1.3 Information you provide through purchases in the Matrix Foundation Shop
The Matrix.org Shop is an online store at which you can purchase
Matrix.org-branded merchandise, such as stickers or tee-shirts. All proceeds go
to The Matrix.org Foundation. Data you provide for this purpose is processed
under [Performance of Contract](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/).
This means that we process your data for the purposes of fulfilling orders you
make from us, getting in touch with you, responding to your requests, working
with our suppliers to deliver the Service and enabling its features, ensuring
the security of our Service, developing, fixing and improving our Service,
administering our business and complying with the law.
The information we collect is purely for the purpose of taking payments for
merchandise and shipping your purchases to you. We do **not** profile users or
their data on the Service.
#### We may need your personal information to establish, bring or defend legal claims. For this purpose, we will retain your personal information for the statutory recommended 7 years after the date it is no longer needed by us for any of the purposes listed under How we use your information above**.**
#### 2.2.1.3.1 Information you provide to us:
We collect information about you when you input it into the Service or otherwise
provide it directly to us.
- Name and contact details
- Delivery address
- Purchase information
- Payment details (handled by a third party provider, not visible to Matrix.org
Foundation employees)
#### 2.2.1.3.2 Information we collect automatically as you use the service:
Your IP address is logged when you access the Service. This data is used in
order to mitigate abuse and debug operational issues. Our logs are kept for not
longer than 180 days.
**2.2.1.3.3 Third-parties**
#### BigCartel
We have selected BigCartel to provide our shopfront. By purchasing from our
shop, the following details will be shared with BigCartel:
- Your purchase details
- Your name and contact details
- Your delivery address
Here is [BigCartel's Privacy Policy](https://help.bigcartel.com/privacy-policy)
#### Stripe
We use Stripe to handle payment processing. By purchasing from our shop, the
following details will be shared with Stripe:
- Your payment details
- Your purchase value
Stripe takes care of all payment processing, so The Matrix.org Foundation and
its employees will never see your payment details.
Here is [Stripe's Privacy Policy](https://stripe.com/gb/privacy)
#### Royal Mail
We use Royal Mail Click & Drop to generate shipping labels. By purchasing from
our shop, the following details will be shared with Royal Mail Click & Drop:
- Your name and address
Here is [Royal Mail's Privacy Policy](https://www.royalmail.com/privacy-notice)
#### 2.2.2 Information we collect automatically as you use the Service:
##### Device and Connection Information
Each device you use to access the Service is allocated a
(user-configurable) identifier. When you access the Service, we record the
device identifier, the IP address it used to connect, user agent, and the time
at which it last connected to the service.
This information is gathered to help you to manage your devices - you can view
and manage the list of devices by connecting to the Service with a Matrix
client such as [the Element app](https://app.element.io).
Currently, we log the IP addresses of everyone who accesses the Service. This
data is used in order to mitigate abuse, debug operational issues, and monitor
traffic patterns. Our logs are kept for not longer than 180 days. Once Matrix
is out of beta we will consider implementing log minimisation.
### 2.3 What Information is Shared With Third Parties and Why?
#### 2.3.1 Sharing Data with Connected Services
We may share your information when working with our suppliers in order to
provide the Service.
In addition, the Matrix.org homeserver is a *decentralised* and *open* service.
This means that, to support communication between users on different
homeservers or different messaging platforms, your username, display name and
messages and files are sometimes shared with other services that are connected
with the Matrix.org homeserver.
##### 2.3.1.1 Federation
Matrix homeservers share user data with the wider ecosystem over federation.
- When you send messages or files in a room, a copy of the data is sent to all
participants in the room, including (depending on room settings) participants
who join the room in future. If these participants are on remote homeservers,
your username, display name, messages and files may be replicated across each
participating homeserver.
- We will forget your copy of your data upon your request. We will also forward
your request to be forgotten onto federated homeservers. However, these
homeservers are outside our span of control, so we cannot guarantee they will
forget your data.
- Federated homeservers can be located anywhere in the world, and are subject to
local laws and regulations.
Access control settings are shared between homeservers, as well as any requests
to remove messages by "redactions", or remove personal data under GDPR Article
17 *Right to Erasure (Right to be Forgotten)*. Federated homeservers and Matrix
clients which respect the Matrix protocol are expected to honour these controls
and redaction/erasure requests, but other federated homeservers are outside of
the span of control of Element, and we cannot guarantee how this data will be
processed. Federated homeservers can also be located in any territory, and will
be subject to the local regulations of that territory.
**2.3.1.2 Bridging**
Some Matrix rooms are bridged to third-party services, such as IRC networks,
Twitter or email. When a room has been bridged, your username, display name,
messages and file transfers may be duplicated on the bridged service where
supported.
- It may not be technically possible to support your management of your data
once it has been copied onto a bridged service.
- Bridged services can be located anywhere in the world, and are subject to
local laws and regulations.
Access control settings, requests to remove messages by "redactions" or remove
personal data under GDPR Article 17 *Right to Erasure (Right to be Forgotten)*
are shared to bridging services, which are expected to honour them to the best
of their ability. Be aware that not all bridged networks or bridges support the
necessary technical capabilities to limit, remove or erase messages. If this is
not acceptable to you, please do not use bridged rooms.
##### Integration Services (Bots and Widgets)
The Matrix.org homeserver provides a range of integrations in the form of
Widgets (miniature web applications accessed as part of a Matrix Client) and
Bots (automated participants in rooms). Bots and Widgets currently have access
to all the messages and files in any room in which they participate, although
we are adding a more sophisticated access control system.
#### Transfers of your Data
If you use our Service your data will be transferred outside of the EU to other
homeservers and services connected with matrix.org as this is necessary to
provide the Service to you. By the very nature of our Service, such transfers
will occur regularly and we have no control over the safeguards adopted by
third party recipients.
Where we engage suppliers to process your data outside the EU we will ensure
that appropriate safeguards such as the standard contractual clauses are in
place.
### 2.4 Sharing Data in Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights
In exceptional circumstances, we may share information about you with a third
party if we believe that sharing is reasonably necessary to
1. comply with any applicable law, regulation, legal process or governmental
request,
1. protect the security or integrity of our products and services (e.g. for a
security audit),
1. protect Element and our users from harm or illegal activities, or
1. respond to an emergency which we believe in good faith requires us to
disclose information to assist in preventing the serious bodily harm of any
person.
### 2.5 How Do You Handle Passwords?
We never store password data in plain text; instead they are stored hashed
(with at least 4096 rounds of bcrypt, including both a salt and a server-side
pepper secret). Passwords sent to the server are encrypted using SSL.
It is your sole responsibility to keep your user name, password and other
sensitive information confidential. Actions taken using your credentials shall
be deemed to be actions taken by you, with all consequences including service
termination, civil and criminal penalties.
If you become aware of any unauthorised use of your account or any other breach
of security, you must notify Element immediately by sending an email to
[security@matrix.org](mailto:security@matrix.org). Suspicious devices can be
deleted using the User Settings management tools in a Matrix client such as
[app.element.io](https://app.element.io), and users should manage good password
hygiene (e.g. using a password manager) and change their password if they
believe their account is compromised.
If you forget your password (and you have registered an email address) you can
use the password reset facility to reset it.
You can manage your account by using a Matrix client such as [https://element.io/app](https://element.io/app)
We will never change a password for you.
### 2.6 Our Commitment to Children's Privacy
We never knowingly collect or maintain information in the Service from those we
know are under 16, and no part of the Service is structured to attract anyone
under 16. If you are under 16, please do not use the Service.
### 2.7 How Can I Access or Correct My Information?
You can access all that we collect about you by using any compatible Matrix
client (such as [https://element.io/app](https://element.io/app)) and managing
your User Settings. You can download a copy of all your data as per section
2.1.3.
### 2.8 Who Can See My Messages and Files?
In unencrypted and encrypted rooms, users connecting to the Matrix.org
homeserver (directly or over federation) will be able to see messages and files
according to the access permissions configuration of the relevant room. This
data is stored in the format it was received on our servers, and can be viewed
by New Vector engineers (employees and contractors) under the conditions
outlined below.
In encrypted rooms, the data is stored in our databases but the encryption keys
are stored only on your devices or by yourself. Users can optionally backup an
encrypted copy of their keys on the Service to aid recovery if they lose all
their keys and devices. This key backup is encrypted by a recovery key that
only the user has access to. This means that nobody, even Element engineers
(employees and contractors) can see your message content in our database, and
if you lose access to your encryption keys you lose access to your messages
forever.
We use HTTPS to transfer all data. End-to-end encrypted messaging data is
stored encrypted using AES-256, using message keys generated using the [Olm and
Megolm cryptographic ratchets](/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last/).
### 2.9 What Are the Guidelines Element Follows When Accessing My Data?
- We restrict who at Element (employees and contractors) can access user data to
roles which require access in order to maintain the health of the Service;
- We have technical procedures in place to prevent unauthorised access to user
data;
- We never share what we see with other users or the general public.
### 2.10 Who Else Has Access to My Data?
We host the majority of the Service in [UpCloud](https://www.upcloud.com/) data
centres. Here's [UpCloud's privacy policy](https://www.upcloud.com/blog/updated-terms-privacy-policy-gdpr/).
UpCloud controls physical access to their locations.
We host some Services in [Mythic Beasts](https://www.mythic-beasts.com/) data
centres. Heres [Mythic Beasts privacy policy](https://www.mythic-beasts.com/terms/privacy).
We store some files shared through the Service on Amazon Web Services (AWS).
Amazon employees have access to this data. Here's [Amazon's privacy policy](http://aws.amazon.com/privacy/).
Amazon controls physical access to their locations.
We use Cloudflare to mitigate the risk of DDoS attacks. Here's [CloudFlare's
privacy policy](https://www.cloudflare.com/privacypolicy/).
Physical access to our offices and locations use typical physical access
restrictions.
We use secure private keys when accessing servers via SSH, and protect our AWS
console passwords locally with a password management tool.
We log application data (username, user IP and user agent). We keep logs for no
longer than 180 days.
### 2.11 What happens if Element is sold?
In the event that we sell or buy any business or assets, we may disclose your
personal data to the prospective seller or buyer of such business or assets.
If we or substantially all of our assets are acquired by a third party, personal
data held by us about our users will be one of the transferred assets.
### 2.12 How Is My Data Protected from Another User's Data?
All of our users' data for the Service currently resides in the same database
cluster which is due to the nature of our Service. We use software best
practices to guarantee that only people who you designate as viewers of your
data can access it. In other words, we segment our user data via software. We
do our best and are very confident we're doing a good job at it, but, like
every other service that hosts their user data on the same database, we cannot
guarantee that it is immune to a sophisticated attack.
### 2.13 What Should I Do If I Find a Security Vulnerability in the Service?
If you have discovered a security concern, please email us at
[security@matrix.org](mailto:security@matrix.org). We'll work with you to make
sure that we understand the scope of the issue, and that we fully address your
concern. We consider correspondence sent to [security@matrix.org](mailto:security@matrix.org)
our highest priority, and work to address any issues that arise as quickly as
possible.
Please act in good faith towards our users' privacy and data during your
disclosure. White hat security researchers are always appreciated.
## 3. Making a Complaint
We try to meet the highest standards when collecting and using personal
information. For this reason, we take any complaints we receive about this very
seriously. We encourage people to bring it to our attention at [dpo@matrix.org](mailto:dpo@matrix.org)
if they think that our collection or use of information is unfair, misleading
or inappropriate. We would also welcome any suggestions for improving our
procedures.
If you want to make a complaint about the way we have processed your personal
information to the supervisory authority, you can contact the ICO (the
statutory body which oversees data protection law) at <https://www.ico.org.uk/concerns>.
## 4. Document History
- 2018, March 28: created.
- 2019, August 22: revised.
- 2020, August 10: revised
**A note to other startups:** this document was heavily inspired by [Balsamiq's
plain English ToS document](https://docs.balsamiq.com/mybalsamiq/tos/). We were
impressed by their championing of plain English, and wanted to reproduce that
as much as possible in our own legal documentation. Feel free to draw similar
inspiration from this document, though be sure to get any documents you produce
checked over by a lawyer. Good luck!

437
content/legal/terms-and-conditions.md Normal file
View file

@ -0,0 +1,437 @@
+++
title = "Matrix.org Homeserver Terms and Conditions"
+++
Please read this document carefully before accessing or using this service!
# 1. Introduction
## 1.1 English, Not Legalese
Most Terms of Use and Privacy Policy documents are unreadable. They are written
by lawyers and for lawyers, and in our opinion are not very effective.
We decided to use plain English as much as possible, to make our terms as clear
as possible. Some sections still have room for improvement - we plan to tackle
these over time.
When you read the matrix.org homeserver or the Service below, it refers to
the services made available at **matrix.org** which store your account and
personal conversation history, provide services such as bots and bridges, and
communicate via the open Matrix decentralised communication protocol with the
public Matrix Network.
Where you read *New Vector*, *New Vector Ltd.* or *we *or* us* below, it refers
to the company we created in July 2017 to hire the Matrix core team and support
Matrixs development and so run the matrix.org homeserver: New Vector Ltd., and
its French subsidiary: New Vector SARL and their agents. **This agreement does
not apply to Matrix servers run by anyone else - Matrix is an open network like
the Web and this agreement only applies to the server (matrix.org) provided by
New Vector Ltd.**
If this agreement is not acceptable, please use a Matrix server provided by
someone else!
Contact Information:
Email: [support@matrix.org](mailto:support@matrix.org)
Postal address:
10 Queen Street Place\
London\
United Kingdom\
EC4R 1AG
Should you have other questions or concerns about this document, please send us
an email at [support@matrix.org](mailto:support@matrix.org).
## 1.2 Using The Service Means Accepting These Terms
By accessing or using the Service in any way, whether you have created a Matrix
account on the matrix.org homeserver, or whether you are accessing content
federated from the matrix.org homeserver to another Matrix homeserver, or are
just browsing rooms as an unauthenticated guest, you agree to and are bound by
the terms and conditions written in this document.
If you do not agree to all of the terms and conditions contained in this
document, please use a Matrix server provided by someone else and refrain from
accessing content federated from this server.
## 1.3 This Is a Living Document
This is a living document. With your help, we want to make it the best in the
industry.
If you read something that rubs you the wrong way, or if you think of something
that should be added, please get in touch! Were all ears! Email
support@matrix.org and well chat.
We dont amend this document for any specific users or use case, but if your
proposed changes apply to all of our users, well be happy to update it for
everyone. Scroll to the bottom to see the history so far.
We will likely improve this document over time. By continuing to use the
Service, you will implicitly accept the changes we make.
Your access and use of the Service is always subject to the most current version
of this document.
## 1.4 Breach of Terms
If you breach any of the terms and conditions in this document, your
authorization to access or use the Service automatically terminates.
We may block, restrict, disable, suspend or terminate your access to all or part
of the Service at any time in our sole discretion, without prior notice or
liability to you.
If you think we removed your access by mistake, send an email to
[support@matrix.org](mailto:support@matrix.org) and well give you our
reasoning.
# 2. Support
Support for the matrix.org homeserver is provided on a best effort basis by New
Vector Ltd - however, support is often available from the wider Matrix
Community in the public Matrix Support rooms (as listed in the
[+matrix:matrix.org](https://matrix.to/#/+matrix:matrix.org) community).
Queries sent to [support@matrix.org](mailto:support@matrix.org) will be
addressed on a best-effort basis by the paid team. Phone support is not
provided.
We love Matrix and will support our users as much as we can, but we are also a
small team and value our work/life balance. This means that although well try
our best, we do not provide 24/7 support.
# 3. Intellectual Property Rights
*Note on Plain English: We know that the language in this section still reads
like legalese - this will be improved in later revisions of this document.*
## 3.1 Who Owns the IP of My Messages and Files?
We do not claim intellectual property rights over rooms, message content or
files uploaded to the Service.
You acknowledge and agree that we have no liability of any kind should anyone
you granted access to your messages or files modify, destroy, corrupt, copy or
distribute them, or violate the terms of use or other limitations that you may
impose on the use of your shared content.
We may pre-screen user messages or files to prevent spam and other abuse, and we
may remove any messages or files (including entire rooms) from the matrix.org
homeserver for any reason without notice at our sole discretion. By posting or
uploading your messages or files, you represent and warrant that you own or
otherwise control all of the intellectual property rights and other rights to
your user materials as described in these Terms of Use, including all the
rights necessary for you to post or upload said messages or files.
You are solely and entirely responsible for all of your messages and files that
you post or otherwise submit via the Service. You shall assume all risks
associated with the use of said content including any reliance on the accuracy,
completeness or usefulness. New Vector does not guarantee the accuracy,
integrity or quality of your messages or files.
You acknowledge and agree that by accessing or using the Service, you may be
exposed to user materials from others that are offensive, indecent or otherwise
objectionable.
# 4. Reliability
## 4.1 Do You Guarantee That The Service Will Be Accessible at All Times?
In short, we do not. Like all other cloud-based applications, we are vulnerable
to the inherent unreliability of the Internet. We do not offer contracted SLA
for availability of the Service and your data.
We monitor the Service closely and have set up automated alarms to be notified
(via email, push notifications and phone calls) when the matrix.org homeserver
is under stress, so that we can deal with the issue before it becomes a problem
that might impact customer access.
You acknowledge and agree that New Vector Ltd. shall not be liable for any
failure to store your materials on the matrix.org homeserver at any time.
# 5. App Developers
We encourage you to write software that uses the Matrix Protocol and interfaces
with the Service!
The Matrix Protocol and our implementation will change over time, and we may
change or deprecate APIs or behaviour for any feature of the Service from time
to time - it is your responsibility to ensure that calls or requests you make
to or via our Service are compatible with then-current APIs for the Service. We
will always try to inform you of any changes with reasonable notice so you can
adjust your Application, but we are under no obligation to do so.
Provided that you comply with the terms of this Agreement and our policies and
procedures, you may use the Service to execute Applications owned by you. You
are solely responsible for your Applications, including any data, text, images
or content they contain.
# 6. Play Nice Clauses
*Note on Plain English: We know that the language in this section still reads
like legalese - this will be improved in later revisions of this document.*
## 6.1 Use of The Service
You agree that you shall not:
- Use or attempt to gain unauthorised access to or use anothers account,
password, data, or computer systems or networks connected to the matrix.org
homeserver, whether through malicious attacks, password mining or any other
means.
- Access or attempt to access any material that you are not authorized to
access.
- Submit or transmit any material that violates or infringes the rights of
others including, without limitation, patent, trademark, trade secret,
copyright, publicity, or other proprietary rights. Please see our
[Copyright Policy](https://matrix.org/copyright-notice) for further details.
- Disrupt or interfere with the security of, or otherwise cause harm to, the
matrix.org homeserver, systems resources, accounts, passwords, servers or
networks connected to or accessible through the Service or any affiliated or
linked sites.
- Use the Service to transmit unsolicited or bulk communications to anyone at
all, be they users of the Service, federated Matrix homeservers, or connected
on a bridged network.
- Post or otherwise submit any software, programs or files in a manner that is
intended to cause harm or disruption of anothers equipment, software or
other property, including any corrupted files, time bombs, Trojan horses,
viruses and worms.
- Disrupt, interfere or inhibit any other user from using and enjoying the
Service.
- Access or use the Service in any manner that could damage, disable, overburden
or impair any server we run or the network(s) connected to the Service.
- Violate any applicable laws or regulations related to the access to or use of
the Service, or engage in any activity prohibited by the Terms of Use.
- Use the Service for any unlawful purposes or in support of illegal activities
under UK/EU law. By using the Service, you agree to comply with all
applicable laws governing your online conduct and content
- Act in a way that is in violation of our [Code of Conduct](/legal/code-of-conduct/)
in rooms that are part of the Matrix community (
[+matrix:matrix.org](https://matrix.to/#/+matrix:matrix.org)).
- Violate the rights of New Vector or any third party (including rights of
privacy and publicity) or abuse, defame, harass, stalk or threaten another.
Materials and Services provided by third parties are governed by separate
agreements accompanying such materials and services. New Vector Ltd. offers no
guarantees and assumes no responsibility or liability of any type with respect
to the third-party services, including any liability resulting from
incompatibility between a third-party service, the matrix.org service or
another third-party service. You agree that you will not hold New Vector Ltd.
responsible or liable with respect to the third-party services.
## 6.1.1 Room Aliases on the Matrix.org Homeserver
An outside organisation can claim ownership over room aliases bearing that
organisation's names or identifiers. If you represent an organisation, and
would like to take over a room alias for it, please [contact us](mailto:support@matrix.org).
We want users on the matrix.org homeserver to be able to engage in a healthy,
approachable community. To maintain a good user experience we reserve the right
to remove or modify room aliases.
## 6.2 Illegal Content
Any content containing or promoting indecent images/depictions of children is
illegal and utterly prohibited on the Service. When we become aware of such
content, we refer the details to the relevant authorities. If youve found an
account, room or group being used for the distribution or promotion of child
sexual exploitation, please share the details in an email to [abuse@matrix.org](mailto:abuse@matrix.org).
# 7. Restriction and Termination of Use
We may block, restrict, disable, suspend or terminate your access to all or part
of the Service at any time in our sole discretion, without prior notice or
liability to you.
# 8. Encryption
The Services may allow you to encrypt your communications end-to-end between
devices. There may be restrictions and limitations on the import, possession,
use, transfer and/or export of strong encryption technology under the laws of
the country in which you intend to use the Service. It is your sole obligation
and responsibility to check such restrictions and limitations before using the
Service and to comply with them. We reserve the right to suspend the Service
immediately and without notice if we determine, in our sole judgment, that the
Service is being used in violation of local regulations governing the use of
cryptographic technologies (even though we have no responsibility to make such
determination).
# 9. Links to Third Party Sites
The Service may include links that will take you to other sites outside of the
the Service. The linked sites are provided as a convenience and the inclusion
of the links do not imply any endorsement by us of any linked site. We have no
control of the linked sites and you therefore acknowledge and agree that we are
not responsible for the contents of any linked site, any link contained in a
linked site or any changes or updates to a linked site. You further acknowledge
and agree that we are not responsible for any form of transmission
(e.g. webcasting) received from any linked site.
# 10. Warranties and Disclaimers
The matrix.org service is provided by New Vector under these terms of use "as
is" without warranty of any kind, either express, implied, statutory or
otherwise, including, but not limited to, the implied warranties of title,
non-infringement, merchantability or fitness for a particular purpose. Without
limiting the foregoing, New Vector makes no warranty that:
1. the Service will meet your requirements;
2. the Service will be uninterrupted, timely, secure, or error-free;
3. the quality of the Service will meet your expectations; and
4. any errors or defects in the Service will be corrected.
You acknowledge and agree that:
1. New Vector does not control, endorse, or accept responsibility for any
materials or services offered by third parties (except where stated
otherwise), including third-party vendors and third parties accessible
through linked sites;
2. New Vector makes no representations or warranties whatsoever about any such
third parties, their materials or services;
3. any dealings you may have with such third parties are at your own risk; and
4. New Vector shall not be liable or responsible for any materials or services
offered by third parties.
New Vector does not control or endorse the materials or message content found in
any rooms or communities. To the maximum extent permitted by law, New Vector
Ltd. will have no liability related to user materials arising under
intellectual property rights, libel, privacy, publicity, obscenity or other
laws. New Vector Ltd. also disclaims all liability with respect to the misuse,
loss, modification or unavailability of any user messages or files.
The use of the Service is done at your own discretion and risk and with your
agreement that you will be solely responsible for any damage to your computer
system, loss of data or other harm that results from such activities. New
Vector assumes no liability for any computer virus or other similar software
code that is downloaded to your computer from the site or in connection with
any services or materials. No advice or information, whether oral or written,
obtained by you from New Vector or via the site, services or materials shall
create any warranty not expressly stated in the terms of use. New Vector will
not be liable for any loss that you may incur as a result of someone else using
your password or account with respect to the site or any services or materials,
either with or without your knowledge.
Some states or jurisdictions do not allow the exclusion of implied warranties or
limitations on how long an implied warranty may last, so the above limitations
may not apply to you. To the extent permissible, any implied warranties are
limited to ninety days.
# 11. Indemnity and Liability
*Note on Plain English: We know that the language in this section still reads
like legalese - this will be improved in later revisions of this document.*
You agree to indemnify and hold New Vector and its officers, co-branders, other
partners and employees harmless from any claim or demand, including reasonable
attorneys fees, made by any third party due to or arising out of:
1. your user materials and any other content (e.g. computer viruses) that you
may submit, post to or transmit through the Service, including a third
partys use of such user materials or content (e.g. reliance on the accuracy,
completeness or usefulness of your user materials);
2. your access to or use of the Service (including any use by your employees,
contractors or agents and all uses of your usernames and passwords, whether
or not actually or expressly authorized by you, in connection with the
Service);
3. your connection to the Service;
4. your violation of the Terms of Use;
5. your infringement of any third partys intellectual property rights when
using any of the software made available on the Service;
6. your violation of any rights of any third party;
7. your access to or use of linked sites and your connections thereto; or
8. any dealings between you and any third parties advertising or promoting via
the Service.
# 12. Emergency Service Calls
The Service does not and is not intended to support or carry emergency calls to
any emergency services (e.g. E911 or 112 numbers). We are not liable for any
claims, damages or loss which arise from this limitation.
# 13. Limitation of Liability
*Note on Plain English: We know that the language in this section still reads
like legalese - this will be improved in later revisions of this document.*
In no event shall New Vector, its officers, directors, employees, partners or
suppliers be liable to you or any third party for any special, punitive,
incidental, indirect or consequential damages or losses of any kind, or any
damages or losses whatsoever, including those resulting from loss of use, data
or profits, whether or not foreseeable or if New Vector has been advised of the
possibility of such damages or losses, and on any theory of liability,
including breach of contract or warranty, negligence or other tortious action,
or any other claim arising out of or in connection with:
1. the access or use of or the inability to access or use the Service;
2. the statements or actions of any third party on or via the site, services or
materials;
3. any dealings with vendors or other third parties;
4. any unauthorized access to or alteration of your transmissions, user
materials or other data;
5. any information that is sent or received or not sent or received;
6. any failure to store or loss of data, files, materials or other content;
7. any services available that are delayed or interrupted;
8. any web site referenced or linked to from this site; or
9. your access to or use of or inability to access or use any linked site.
Some jurisdictions prohibit the exclusion or limitation of liability for
consequential or incidental damages. Accordingly, the limitations and
exclusions set forth above may not apply to you.
# 14. Governing Law and Jurisdiction
This Agreement shall be governed by the laws of England and Wales, excluding its
conflict of law provisions. Unless contrary to the law where you reside, all
disputes relating to this Agreement are subject to the exclusive jurisdiction
of the courts of England and Wales and you expressly consent to the exercise of
personal jurisdiction in the courts of England and Wales in connection with any
such dispute. This Agreement shall not be governed by the United Nations
Convention on Contracts for the International Sale of Goods.
# 15. General
The Service is licensed, not sold, to you by New Vector Ltd for use strictly in
accordance with the terms and conditions of this Agreement. Ownership of the
Service shall at all times remain with New Vector Ltd. Access to the Service is
provided to you only to allow you to exercise your rights under this
Agreement.
## 15.1 Grant of Licence
Subject to your acceptance of, and compliance with, this Agreement and any
payment requirements for the Service (if applicable), New Vector Ltd hereby
grants you a limited, non-exclusive, non-transferable, revocable,
non-sublicensable licence, in and under our intellectual property rights, to
access and use the Services, solely in accordance with the terms and conditions
of this Agreement. Unless explicitly stated otherwise, any new features
provided by us that augment or enhance the current Service shall also
constitute "Service" and shall be subject to these terms and conditions. All
rights not expressly granted under this Agreement are retained by New Vector
Ltd.
You may also be subject to additional terms and conditions that may apply when
you use other New Vector services, third party content or third party software.
If for any reason a court of competent jurisdiction finds any provision of the
Terms of Use, or portion thereof, to be unenforceable, that provision shall be
enforced to the maximum extent permissible so as to effect the intent of the
parties as reflected by that provision, and the remainder of the Terms of Use
shall continue in full force and effect. Any failure by New Vector to enforce
or exercise any provision of the Terms of Use or related right shall not
constitute a waiver of that right or provision. The section titles used in the
Terms of Use are purely for convenience and carry with them no legal or
contractual effect.
# 16. Document History
* 2018, March 28: created.
**A note to other startups:** this document was heavily inspired by [Balsamiqs
plain English ToS document](https://docs.balsamiq.com/mybalsamiq/tos/). We were
impressed by their championing of plain English, and wanted to reproduce that
as much as possible in our own legal documentation. Feel free to draw similar
inspiration from this document, though be sure to get any documents you produce
checked over by a lawyer. Good luck!

47
content/security-disclosure-policy.md Normal file
View file

@ -0,0 +1,47 @@
+++
title = "Security Disclosure Policy"
+++
Matrix.org greatly appreciates investigative work into security vulnerabilities
carried out by well-intentioned, ethical security researchers. We follow the
practice of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure)
in order to best protect Matrixs user base from the impact of security issues.
On our side, this means:
We will respond to security incidents as a priority.
- We will work with you to establish a disclosure time frame for the reported
vulnerability. During this time frame, we will either work on a fix or decide
to accept the risk, after which we will disclose the vulnerability.
- We will always transparently let the community know about any incident that
affects them.
In general, we will aim for a fix within 90 days of processing your report, but
we may propose a longer time frame (usually 120 days) for especially complex
vulnerabilities. In some cases, when a vulnerability is particularly disruptive
and/or easy to exploit, we may delay publishing technical details for an
additional period after the fix is publicly available (usually no longer than
30 days).
If you have found a security vulnerability in Matrix, we ask that you disclose
it responsibly by emailing [security@matrix.org](mailto:security@matrix.org).
Optionally, if you want to encrypt your email, you can use our [PGP key](/.well-known/pgp-key.txt).
Please do not discuss potential vulnerabilities in public without validating
with us first.
On receipt, the security team will:
- Review the report, verify the vulnerability and respond with confirmation
and/or further information requests; we typically reply within 24 hours.
- Once the reported security bug has been addressed we will notify the
Researcher, who is then welcome to optionally disclose publicly.
The following is a list of known issues and/or things we do not consider to be
an issue. Please **do not** send reports regarding the following:
- Issues relating to SPF or DMARC.
The Matrix.org Foundation does not ordinarily provide bug bounties, though
organisations building on top of Matrix may do so in future. We maintain a
[Security Hall of Fame](/security-hall-of-fame) to recognise those who have
responsibly disclosed security issues to us in the past.

466
content/security-hall-of-fame/findings.toml Normal file
View file

@ -0,0 +1,466 @@
[[findings]]
date = "2022-10-18"
reporter.name = "aoxsin"
reporter.link = "https://twitter.com/aoxsin"
summary = """
Discovered that pinecone.matrix.org was exposing pprof.
"""
project = "matrix.org infrastructure"
[[findings]]
date = "2022-10-12"
reporter.name = "Dionysis Grigoropoulos"
reporter.link = "https://erethon.com/"
summary = """
Discovered a reflected and stored XSS in the Matrix Public Archive project.
Fixed in [commit 12d96ee](https://github.com/matrix-org/matrix-public-archive/pull/79/commits/12d96ee27705bc1926fb61141df4eeb3e63f0cc9).
"""
project = "Matrix Public Archive"
[[findings]]
date = "2022-10-08"
reporter.name = "Dinesh kumar"
reporter.link = "https://twitter.com/dhina016"
summary = """
Reported that grafana.matrix.org metrics were publicly exposed.
"""
project = "matrix.org infrastructure"
[[findings]]
date = "2022-09-17"
reporter.name = "Josh Enders"
reporter.link = "https://www.twitter.com/joshenders"
summary = """
Discovered a FaceID bypass in Element iOS. Fixed in
[Element iOS 1.9.7](https://github.com/vector-im/element-ios/releases/tag/v1.9.7).
"""
project = "Element iOS"
[[findings]]
date = "2022-08-23"
reporter.name = "Cyastis Volantis"
reporter.link = "https://github.com/Cyastis"
summary = """
Discovered issue with PIN screen being bypassable by opening the application in
landscape mode. Fixed in [Element iOS 1.9.1](https://github.com/vector-im/element-ios/releases/tag/v1.9.1).
"""
project = "Element iOS"
[[findings]]
date = "2022-06-06"
reporter.name = "Val Lorentz"
reporter.link = "https://valentin-lorentz.fr/"
summary = """
Discovered a parsing issue which could lead to channel/room takeovers
([CVE-2022-39203](https://www.cve.org/CVERecord?id=CVE-2022-39203),
[GHSA-xvqg-mv25-rwvw](https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-xvqg-mv25-rwvw)).
Fixed in [matrix-appservice-irc 0.35.0](https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.35.0)
([blog post](https://matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity)).
"""
project = "matrix-appservice-irc"
[[findings]]
date = "2022-05-13"
reporter.name = "Val Lorentz"
reporter.link = "https://valentin-lorentz.fr/"
summary = """
Discovered an IRC mode parameter parsing confusion which could lead to wrong
modes being applied ([CVE-2022-39202](https://www.cve.org/CVERecord?id=CVE-2022-39202),
[GHSA-cq7q-5c67-w39w](https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-cq7q-5c67-w39w)).
Fixed in [matrix-appservice-irc 0.35.0](https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.35.0)
([blog post](https://matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity)).
"""
project = "matrix-appservice-irc"
[[findings]]
date = "2022-05-10"
reporter.name = "Martin R. Albrecht, Sofía Celi, Benjamin Dowling and Daniel Jones"
reporter.link = "https://nebuchadnezzar-megolm.github.io/"
summary = """
For an excellent analysis exposing several cryptographic implementation
vulnerabilities in the first generation Matrix SDKs. See the [disclosure blog
post](https://www.matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients)
and the [research paper](https://nebuchadnezzar-megolm.github.io/static/paper.pdf)
for details.
"""
project = "Several Matrix SDKs"
[[findings]]
date = "2022-05-12"
reporter.name = "Rex Kim (@rexouflage)"
reporter.link = "https://twitter.com/rexouflage"
summary = """
Reported an RTLO injection issue allowing an attacker to construct a link
appearing to lead to an URL while actually leading to another. Fixed in Element
iOS [1.8.17](https://github.com/vector-im/element-ios/releases/tag/v1.8.17) and
Element Android [1.4.18](https://github.com/vector-im/element-android/releases/tag/v1.4.18).
Mitigated in [Element Desktop 1.11.1](https://github.com/vector-im/element-web/releases/tag/v1.11.1)
by enabling link tooltips.
"""
project = "Element clients"
[[findings]]
date = "2022-05-04"
reporter.name = "Val Lorentz"
reporter.link = "https://valentin-lorentz.fr/"
summary = """
IRC command injection in the matrix-appservice-irc bridge when replying to a
malicious message due to incomplete newline sanitization. Fixed in
matrix-appservice-irc 0.33.2 and node-irc 1.2.1. Tracked as
[GHSA-37hr-348p-rmf4](https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-37hr-348p-rmf4)
and [GHSA-52rh-5rpj-c3w6](https://github.com/matrix-org/node-irc/security/advisories/GHSA-52rh-5rpj-c3w6).
"""
project = "matrix-appservice-irc / node-irc"
[[findings]]
date = "2022-01-31"
reporter.name = "s1r1us and TheGrandPew"
reporter.link = "https://blog.s1r1us.ninja/"
summary = """
Remotely triggerable host program execution with user interaction, caused by an
outdated Electron dependency. Depending on the host environment, full RCE may be
possible. Fixed in Element Desktop 1.9.7 and tracked as [GHSA-mjrg-9f8r-h3m7](https://github.com/vector-im/element-desktop/security/advisories/GHSA-mjrg-9f8r-h3m7)
/ [CVE-2022-23597](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23597).
"""
project = "Element Desktop"
[[findings]]
date = "2021-11-18"
reporter.name = "Oliver Behnke"
reporter.link = "https://github.com/brevilo"
summary = """
Buffer overflow in olm_session_describe in libolm before version 3.2.8, remotely
triggerable from matrix-js-sdk before 15.2.1. Fixed in libolm 3.2.8 and
matrix-js-sdk 15.2.1. Assigned [CVE-2021-44538](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44538).
"""
project = "libolm"
[[findings]]
date = "2021-09-23"
reporter.name = "Pascal \"nephele\" Abresch"
summary = """
Reported that Matrix Static (used for view.matrix.org) was vulnerable to XSS via
room names due to missing sanitization. Fixed in [Matrix Static 0.3.1](https://github.com/matrix-org/matrix-static/releases/tag/0.3.1).
"""
project = "Matrix Static"
[[findings]]
date = "2021-09-17"
reporter.name = "The UK's National Cyber Security Centre (NCSC)"
reporter.link = "https://www.ncsc.gov.uk/"
summary = """
JavaScript code execution when previewing user file attachments in Element iOS
before 1.6.8 on iOS 12 and earlier. Fixed in Element iOS 1.6.8.
"""
project = "Element iOS"
[[findings]]
date = "2021-08-31"
reporter.name = "Thomas Chauchefoin (SonarSource)"
reporter.link = "https://www.sonarsource.com/"
summary = """
Discovered status.matrix.org was running a version of Cachet vulnerable to an
[SQL injection](https://nvd.nist.gov/vuln/detail/CVE-2021-39165). Since this
host was used solely for running the status page, we fixed this by
decommissioning it and switching to Atlassian's Statuspage service.
"""
project = "status.matrix.org"
[[findings]]
date = "2021-07-03"
reporter.name = "Aaron Raimist"
reporter.link = "https://github.com/aaronraimist/"
summary = """
Discovered that an explicit assignment of power level 0 was misinterpreted as
the default power level. Fixed in Synapse v1.40.0.
"""
project = "Synapse"
[[findings]]
date = "2021-05-21"
reporter.name = "Aaron Raimist and an anonymous security researcher"
reporter.link = "https://github.com/aaronraimist/"
summary = """
Discovered that Element Android was disclosing the filename of end-to-end
encrypted attachments to the homeserver. Fixed in Element Android 1.1.8.
"""
project = "Element Android"
[[findings]]
date = "2021-03-01"
reporter.name = "Graham Leach-Krouse"
reporter.link = "http://grahamlk.com/"
summary = """
Authentication bypass in SQLite deployments. Fixed in [Dendrite v0.3.11](https://github.com/matrix-org/dendrite/releases/tag/v0.3.11).
"""
project = "Dendrite"
[[findings]]
date = "2021-02-16"
reporter.name = "Guilherme Keerok"
reporter.link = "https://github.com/keerok"
summary = """
User content sandbox could be tricked into opening arbitrary documents
([CVE-2021-21320](https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-52mq-6jcv-j79x)).
Fixed in [matrix-react-sdk 3.15.0](https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.15.0).
"""
project = "Matrix React SDK"
[[findings]]
date = "2021-01-18"
reporter.name = "Michaël Scherer"
reporter.link = "https://github.com/mscherer/"
summary = """
IP blacklist bypass via transitional IPv6 addresses on dual-stack networks
([CVE-2021-21392](https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78)).
Fixed in Synapse 1.28.0.
"""
project = "Synapse"
[[findings]]
date = "2021-01-07"
reporter.name = "Andrea Spacca"
reporter.link = "https://github.com/aspacca"
summary = """
Element iOS crash via an invalid content payload. Fixed in Element iOS 1.1.4.
"""
project = "Element iOS"
[[findings]]
date = "2020-11-17"
reporter.name = "Michaël Scherer"
reporter.link = "https://github.com/mscherer/"
summary = """
Denial of service attack via .well-known lookups ([CVE-2021-21274](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21274)).
Fixed in Synapse 1.25.0.
"""
project = "Synapse"
[[findings]]
date = "2020-11-17"
reporter.name = "Michaël Scherer"
reporter.link = "https://github.com/mscherer/"
summary = """
IP blacklist bypass via redirects on some federation and push requests
([CVE-2021-21273](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21273)).
Fixed in Synapse 1.25.0.
"""
project = "Synapse"
[[findings]]
date = "2020-09-20"
reporter.name = "Denis Kasak"
reporter.link = "https://github.com/dkasak"
summary = """
HTML injection in login fallback endpoints could be used for a
Cross-site-scripting attack ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891)).
Fixed in Synapse 1.21.0.
"""
project = "Synapse"
[[findings]]
date = "2020-09-09"
reporter.name = "Pritam Mukherjee"
reporter.link = "https://www.linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9/"
summary = """
Misconfigured X-Frame in New Vector internal infrastructure could lead to
Clickjacking
"""
project = "New Vector Infrastructure"
[[findings]]
date = "2020-08-14"
reporter.name = "awesome-michael"
reporter.link = "https://github.com/awesome-michael"
company.name = "Awesome Technologies"
company.link = "https://github.com/Awesome-Technologies"
summary = """
An issue where encrypted state events could break incoming call handling. Fixed
in [Element 1.7.5](https://github.com/vector-im/element-web/releases/tag/v1.7.5)
"""
project = "Element"
[[findings]]
date = "2020-07-29"
reporter.name = "0x1a8510f2"
reporter.link = "https://github.com/0x1a8510f2/"
summary = """
An issue where Element Android was leaking PII. Fixed in [Element Android 1.0.5](https://github.com/vector-im/element-android/releases/tag/v1.0.5)
"""
project = "Element"
[[findings]]
date = "2020-07-20"
reporter.name = "SakiiR"
reporter.link = "https://twitter.com/sakiirsecurity"
summary = """
An issue where an unexpected language ID in a code block could cause Element to
crash. Fixed in [Element 1.7.3](https://github.com/vector-im/element-web/releases/tag/v1.7.3)
"""
project = "Element"
[[findings]]
date = "2020-07-14"
reporter.name = "Denis Kasak"
reporter.link = "https://github.com/dkasak"
summary = """
Invalid JSON could become part of the room state, acting as a denial of service
vector ([CVE-2020-26890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26890)).
Fixed in Synapse 1.20.0. Disclosed 2020-11-23.
"""
project = "Synapse"
[[findings]]
date = "2020-07-02"
reporter.name = "Quentin Gliech"
reporter.link = "https://sandhose.fr"
summary = """
A clickjacking vulnerability in the single-sign-on flow in Synapse. Fixed in
[Synapse 1.15.2](https://github.com/matrix-org/synapse/releases/tag/v1.15.2).
"""
project = "Synapse"
[[findings]]
date = "2020-06-18"
reporter.name = "Sorunome"
reporter.link = "placeholder"
summary = """
An issue where replying to a specially formatted message would make it seem like
the replier said something they did not. Fixed in [Element 1.7.3](https://github.com/vector-im/element-web/releases/tag/v1.7.3)
"""
project = "Element"
[[findings]]
date = "2020-05-10"
reporter.name = "Quentin Gliech"
reporter.link = "https://sandhose.fr"
summary = """
A CSRF attack leading to potential unauthorised access to accounts on servers
using single-sign-on flows. Fixed as part of [matrix-react-sdk#4685](https://github.com/matrix-org/matrix-react-sdk/pull/4685),
released in Riot/Web 1.6.3.
"""
project = "Matrix React SDK"
[[findings]]
date = "2020-05-03"
reporter.name = "David Wong"
reporter.link = "https://twitter.com/cryptodavidw"
summary = """
A vulnerability in the SAS verification protocol failing to bind the ephemeral
public keys. Fixed in [MSC2630](https://github.com/matrix-org/matrix-doc/pull/2630),
which lists the fixed client versions.
"""
project = "e2e spec"
[[findings]]
date = "2020-03-03"
reporter.name = "Rhys Davies"
reporter.link = "https://twitter.com/rhysmdnz"
summary = """
An open redirect vulnerability affecting single sign-on flows. Fixed in Synapse
1.11.1
"""
project = "Synapse"
[[findings]]
date = "2019-05-02"
reporter.name = "Enguerran Gillier"
reporter.link = "https://twitter.com/opnsec"
summary = """
HTML injection in email invites. A malicious 3rd party invite could inject
unescaped HTML into the email template. Fixed in Sydent 1.0.3
"""
project = "sydent"
[[findings]]
date = "2019-05-02"
reporter.name = "Enguerran Gillier"
reporter.link = "https://twitter.com/opnsec"
summary = """
SSRF in the URL preview API, which did not blacklist access to 0.0.0.0/32 or
::/128 by default. Fixed in Synapse 0.99.3.1
"""
project = "synapse"
[[findings]]
date = "2019-05-02"
reporter.name = "Enguerran Gillier"
reporter.link = "https://twitter.com/opnsec"
summary = """
Insecure pseudo-random number generator in synapse meant that an attacker might
be able to predict random values. Fixed in Synapse 0.99.3.1
"""
project = "synapse"
[[findings]]
date = "2019-05-02"
reporter.name = "Enguerran Gillier"
reporter.link = "https://twitter.com/opnsec"
summary = """
Insecure pseudo-random number generator in sydent meant that an attacker could
predict authentication tokens. Fixed in Sydent 1.0.3
"""
project = "sydent"
[[findings]]
date = "2019-04-22"
reporter.name = "Julien Thomas"
reporter.link = "https://twitter.com/julien_thomas"
company.name = "Protektoid Project"
company.link = "https://protektoid.com"
summary = """
Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local
app could compromise account data. Mitigated [here](https://github.com/vector-im/riot-android/commit/096dfbef39bf0ce53ea2e80225a85e74d75aefa0).
"""
project = "Riot/Android"
[[findings]]
date = "2019-04-20"
reporter.name = "fs0c131y"
reporter.link = "https://fs0c131y.com/"
summary = """
Sydent session ids were predictable, meaning it was possible to infer the total
number of validations and also check if an address had been validated. Mitigated
[here.](https://github.com/matrix-org/sydent/pull/143)
"""
project = "Sydent"
[[findings]]
date = "2019-04-18"
reporter.name = "fs0c131y"
reporter.link = "https://fs0c131y.com/"
summary = """
An email validation exploit in Sydent. For more details see [here](https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/)
and [CVE-2019-11340](https://www.cvedetails.com/cve/CVE-2019-11340/).
"""
project = "Sydent"
[[findings]]
date = "2019-04-09"
reporter.name = "Jaikey Sarraf"
reporter.link = "https://twitter.com/jaikeysarraf/"
summary = """
Identified a unpatched RCE vulnerability in Matrix.org's public-facing Jenkins.
It transpired the vulnerability had been [exploited by an attacker](https://matrix.org/blog/2019/04/11/security-incident/).
"""
project = "Infrastructure"
[[findings]]
date = "2018-12-06"
reporter.name = "Brian Hyde"
reporter.link = "https://hyde.solutions/"
summary = """
XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run
arbitrary code in the domain of the content repository. Mitigated [here.](https://github.com/matrix-org/synapse/pull/4284)
"""
project = "Synapse"
[[findings]]
date = "2018-02-19"
reporter.name = "rugk"
reporter.link = "https://github.com/rugk"
summary = """
Origin check of ScalarMessaging postmessage API was insufficient. Mitigated
[here.](https://github.com/matrix-org/matrix-react-sdk/pull/1760)
"""
project = "Matrix React SDK"

12
content/security-hall-of-fame/index.md Normal file
View file

@ -0,0 +1,12 @@
+++
title = "Security Hall of Fame"
template = "security-hall-of-fame.html"
aliases = ["/hall-of-fame"]
+++
Here we maintain a list of security researchers and their findings, to recognize
them for having responsibly disclosed security issues to us in the past.
If you think you've found a security issue relating to Matrix software or
infrastructure, please see our [Security Disclosure Policy](/security-disclosure-policy)
on how to report it to us.

2
navigation.toml
View file

@ -11,7 +11,7 @@ header = [
footer_internal = [
{ title = "FAQs", href = "/faq" },
{ title = "Security Disclosure Policy", href = "/security-disclosure-policy" },
{ title = "Security Hall of Fame", href = "/hall-of-fame" },
{ title = "Security Hall of Fame", href = "/security-hall-of-fame" },
{ title = "Code of Conduct for Matrix.org", href = "/legal/code-of-conduct" },
{ title = "Legal", href = "/legal" },
{ title = "Contact", href = "/contact" },

14
sass/_security-hall-of-fame.scss Normal file
View file

@ -0,0 +1,14 @@
.finding-container {
margin-top: 1em;
margin-bottom: 1em;
padding-left: .5em;
padding-top: 0;
padding-bottom: 0;
border-left-color: #333;
border-left-style: solid;
border-left-width: 2px;
}
.finding-header {
font-style: italic;
}

1
sass/style.scss
View file

@ -12,3 +12,4 @@
@import '_guardians';
@import '_legacy-docs';
@import '_docs-home';
@import '_security-hall-of-fame';

14
templates/legal.html Normal file
View file

@ -0,0 +1,14 @@
{% extends "index.html" %}
{% block content %}
<div class="content">
<header>
<h1>{{ section.title }}</h1>
</header>
<ul>
{% for page in section.pages %}
<li><a href="{{ page.path }}">{{ page.title }}</a></li>
{% endfor %}
</ul>
</div>
{% endblock content %}

38
templates/security-hall-of-fame.html Normal file
View file

@ -0,0 +1,38 @@
{% extends "index.html" %}
{% block content %}
{% set data = load_data(path="content/security-hall-of-fame/findings.toml") %}
<div class="content">
<header>
<h1>{{ page.title }}</h1>
</header>
{{ page.content | markdown | safe }}
{% for finding in data.findings %}
<div class="finding-container">
<span class="finding-header">
{{ finding.date }}
-
{{ finding.project }}
-
{% if finding.reporter.link %}<a href="{{ finding.reporter.link }}">{% endif%}
{{ finding.reporter.name }}
{% if finding.reporter.link %}</a>{% endif %}
{% if finding.company.name %}
from
{% if finding.company.link %}<a href="{{ finding.company.link }}">{% endif %}
{{ finding.company.name }}
{% if finding.company.link %}</a>{% endif %}
{% endif %}
</span>
<div class="finding-summary">{{ finding.summary | markdown | safe }}</div>
</div>
{% endfor %}
<p>
If you think you should be on the list, apologies if we missed you,
please mail us at <a href="mailto:security@matrix.org">security@matrix.org</a>.
</p>
</div>
{% endblock content %}