Every (active) Matrix user in a bridged room (or portal) has a corresponsing user/connection on IRC. That is, if you join a bridged Matrix room as @charcircuit:example.com, the appservice responsible for bridging said room to IRC will open a connection with NICK/USER charcircuit to IRC (if not open already).
Effectively, appservice-irc is a multi tenant IRC client.
I don't see a reference to this issue on their bug bounty page (https://app.intigriti.com/programs/matrix/matrix/detail) but it's possible that the researcher came to them directly or didn't want a reward. You'll have to ask the person who demonstrated the vulnerability.
According to their responsible disclosure page (https://matrix.org/security-disclosure-policy/) they don't generally do bug bounties. I'm not sure what their intigrity page is all about, perhaps they did in the past?
In the infosec community, "researcher" is the noun of choice to describe anyone who has discovered a security vulnerability, no matter their motivation or experience.
Element currently piggybacks on the Matrix.org Foundation bug bounty programmes (which are the relevant ones here anyway, given matrix-appservice-irc is a Matrix.org project - i.e. owned by and managed by the Foundation, albeit with lots of contributions from Element employees)
Right now the Matrix.org Foundation is between bug bounties - we ran an EU funded one via Intigriti last year (https://portswigger.net/daily-swig/intigriti-launches-eu-bac...) until the funding was consumed, and I'm literally about to sign the contract on a new permanent one for the Matrix Foundation funded by Element run by YesWeHack.
Is there a decent overview of commercial adoption of Matrix? i.e. what are the top 10 biggest companies using Matrix, and is there a vehicle by which they could pay for some security audits and bug bounties above and beyond the Matrix foundation?
17 comments
[ 3.0 ms ] story [ 49.9 ms ] threadHow can a matrix user execute commands when they are my definition not in the IRC server? Does it mean it allows the bot to execute commands?
Effectively, appservice-irc is a multi tenant IRC client.
According to their responsible disclosure page (https://matrix.org/security-disclosure-policy/) they don't generally do bug bounties. I'm not sure what their intigrity page is all about, perhaps they did in the past?
A click on the url to his homepage reveals that he is a backend software engineer who does volunteer work on free software and open protocols
And even so, does a freelance researcher "have a job", in the traditional sense?
Right now the Matrix.org Foundation is between bug bounties - we ran an EU funded one via Intigriti last year (https://portswigger.net/daily-swig/intigriti-launches-eu-bac...) until the funding was consumed, and I'm literally about to sign the contract on a new permanent one for the Matrix Foundation funded by Element run by YesWeHack.
EDIT: https://matrix.org/security-disclosure-policy/ will get updated when the new bounty programme is live. You can see the history of that page over at https://github.com/matrix-org/matrix.org/commits/master/gats... in terms of when bounties have come & gone over the years.