We actively support and fix security issues in the latest versions:
If you have found a vulnerability, please do not open a public issue. Instead, use one of the following private channels:
- Matrix (Encrypted): Message me directly at @mlmistaken:matrix.org or join our support room #mages-sec-support:matrix.org.
- Email: Send details to mlm.gamestudio@gmail.com.
- A brief description of the vulnerability.
- Steps to reproduce (Proof of Concept).
- Potential impact.
- Recognition: Valid, responsibly disclosed reports will be acknowledged in release notes and this document.
- Disclosure: Please allow us time to fix the issue before sharing details publicly.
This security policy applies to the Mages Matrix client application, including:
- The Kotlin/JVM Android application code
- The Rust FFI bindings
- Build and release processes
- Third-party homeservers (matrix.org, Synapse, etc.)
- Other Matrix clients
- User devices or operating systems
Thank you to the following security researchers who have responsibly disclosed vulnerabilities:
| Researcher | Report | Date |
|---|---|---|
| Add your name here |
Researchers who responsibly disclose security issues will be listed here.
We currently do not have any bug bounty programs, but might aim to participate later when we have a reliable funding source:
Thank you for helping keep Mages and the Matrix ecosystem secure!