Mattermost Security Policy#

This document summarizes the internal security policies at Mattermost, Inc.

Security benefits of an open source platform#

The open source Mattermost Team Edition is used by thousands of teams around the world. Development is aided by hundreds of open source contributors, with full access to the product source code, who have a vested interest in keeping the software secure and vetted.

As new threats emerge, a responsible disclosure policy is in place for the community to confidentially report security issues so they can be addressed by Mattermost, Inc. prior to documenting security updates publicly.

The commercial Mattermost Enterprise Edition extends the security and productivity benefits of the open source solution with support for advanced security, management, scale, and policy compliance features for complex organizations.

Mattermost Development Guidelines#

Tracking#

  • Prior to implementation, potential code changes are discussed and documented in Mattermost’s issue tracking system.

  • Security tickets are confidential to Mattermost, Inc. staff, who are under NDA, and specially tagged to avoid disclosure.

  • All potential code changes are mapped to tickets prior to acceptance, with the exception of trivial changes and bug fixes.

Review#

  • To uphold security, quality and reliability standards, all potential changes submitted by open source contributors must pass an accepting pull requests vetting process prior to submission.

  • Clarity and readability of code is enforced through the Mattermost contribution checklist.

  • After submission, all proposed changes require at least two code reviews for reliability, quality, and system security.

  • All open source contributions are available for public inspection and commentary before and after acceptance.

Reporting#

  • Mattermost uses a responsible disclosure policy to accept confidential reports of new threats, so they can be addressed either immediately through a dot release, or by the next monthly release depending on potential impact.

  • When Mattermost software undergoes security and penetration testing at customer sites security updates are added to the core software and publicly documented by release.

Patch Management#

  • Critical updates are released for urgent, high priority security issues or critical losses of functionality that should not wait for the next monthly release.

  • Mattermost software has a mandatory upgrade policy and customers and users need to be on the latest release to receive critical updates.

  • Critical updates are delivered as dot releases, for example a critical update to release 3.1.0 would be named 3.1.1.

  • Customers and subscribers to the Security Bulletin mailing list receive notifications about all critical updates.

Security Review Checklist#

In addition to checklists for quality and reliability, code changes receive multiple reviews for the following system security design principles:

  • Reducing information disclosure

  • Reducing attack surface

  • Protecting against denial of service vulnerabilities

  • Preventing message spoofing

  • Preventing cross-site scripting

  • Preventing cross-site forgery

  • Preventing remote code execution

Security Update Monitoring#

The following resources are monitored for information about new security threats and attack vectors.

All dependencies are updated on a regular basis to ensure Mattermost uses the latest security updates.

Infrastructure Security Policies#

  1. Technical infrastructure, including network security, servers and access control protocols are regularly reviewed for potential threats and vulnerabilities.

  2. Business process, HR process and policies are regularly reviewed for potential threats and vulnerabilities.

  3. A penetration test on the software is performed regularly. A copy of penetration results may be requested by customers upon five (5) day written notice at any time, but no more than once per twelve (12) month period.

Business Continuity Plan#

This document outlines Mattermost, Inc.’s Disaster Recovery and Business Continuity Plan (DRBCP) informed by the Federal Financial Institutions Examination Council guidelines on Business Continuity Planning in the context of Mattermost, Inc. being a vendor providing self-hosted software and consulting services to financial institutions.

Because Mattermost software runs within a customer’s data center, behind a customer’s firewall and existing layers of security, without dependency to services hosted by Mattermost, the disruption of the business continuity of Mattermost, Inc. does not immediately impact the operating continuity of its customers. It does affect Mattermost’s ability to answer support requests, provide consulting services, and provide new improvements or patches to Mattermost software.

At a high level, precautions include:

  • DRBCP is tested, evaluated and refined annually to ensure our processes are working and up-to-date.

  • As support is the most critical service offered, multiple channels for support engagement are available and monitored, including email, a Mattermost community server available on web, desktop and mobile, online forums, online forms, social media channels (Twitter and Facebook), and for Premier Support customers, we offer a telephone-based call center.

  • Subject Matter Experts for escalations are available in at least three centers in different timezones to provide redundant coverage should communication with one or multiple centers be disrupted. Mattermost staff use a diverse set of operating systems, including Mac, Windows, and different distributions of Linux, and a diverse set of global internet service providers, to reduce the potential damage of a single strain of malware, single desktop computing exploit, or single telecommunications outage.

  • As further redundancy, we have a network of partners around the world skilled in Mattermost technologies to be contacted for assistance for critical customer issues.

  • As further redundancy, we have a community of several hundred engineers around the world and over a thousand contributors to our online forums, who have sufficient access and expertise in Mattermost’s open source technologies that could be contact in the highly unlikely event both Mattermost, Inc. and our partner networks are unable to service our customers.

  • As further redundancy, Mattermost provides open source code for its core server technology, mobile applications, desktop applications, and a wide array of extensions which allows customers to have transparency into the functionality of the software and solve the issue with their internal technical teams should a massive worldwide failure of Mattermost, Inc., its partners and its community arise.

Mattermost, Inc. is headquartered in Palo Alto, California with a distributed organization across three timezones, and is therefore not easily affected by typical causes of business disruption, such as local failures of equipment, power, telecommunications, social unrest, fire, or natural disasters. Even so, threats considered in the context of business continuity are categorized by impact of the disruption.

Priority 1: Outages that would have immediate impact on a Mattermost customer#

Key support staff unavailable in case of customer emergency.#

Effect: Emergency response times exceed expectations.

Solution(s)

Level 1 (Critical Business Impact) and Level 2 (Major Business Impact) support requests are received by on-call support staff, as well as three supervisory staff who can monitor and escalate issues should the assigned staff member appear to be unavailable or unable to respond to the request within the SLA time allotted.

As an additional safeguard, when an L1 or L2 escalation is reported, a notification is sent via the company’s internal Mattermost instance to all qualified support staff to be aware of the issue, and any member can step in if it seems follow up may not be achieved within SLA expectations.

Mitigation(s)

  • Mattermost, Inc. employs support staff and engineers in multiple timezones to increase availability, reduce response times and to reduce the risk that key support staff would be unavailable to service emergency requests.

Downtime for Mattermost Hosted Push Notification Service (HPNS)#

Effect: End users at customer sites deploying on HPNS do not receive mobile push notifications.

Solution(s)

Mattermost, Inc. can re-deploy the service from backup to new infrastructure, should its existing infrastructure suffer an outage.

Mitigation(s)

HPNS is available as open source software hosted on GitHub.com, allowing enterprises an option to compile and self-host the service, should they choose not to use HPNS hosted by Mattermost, Inc.

Disruption of infrastructure providing support over email, online tickets or Mattermost messaging during customer emergency#

Effect: Unable to communicate with Mattermost, Inc. support team during emergency

Solution(s)

Should a support channel be out-of-service, Mattermost, Inc. provides redundant support options through email, online ticketing, and (for customers who have purchased core access Premier support) online message via Mattermost.

Priority 2: Outages having immediate impact on business continuity#

Outage due to malicious software (viruses, works, trojans, and similar)#

Effect: Reduced capacity to continue business operations, depending on attack.

Solution(s)

Mattermost, Inc. staff uses multiple anti-virus solutions for detecting and removing malicious software and regularly backs up key systems to delete infected systems and re-deploy its infrastructure. Moreover, the company uses a range of Windows, Mac, and Linux-based workstations, reducing the probability of a company wide disruption from a single strain of malicious software.

Outage due to online attacks#

Effect: Reduced capacity to continue business operations, depending on attack.

Solution(s)

Mattermost, Inc. runs multiple monitoring and alerting services to detect and isolate suspicious traffic and requests in order to minimize downtime from potential online threats.

Should our self-hosted Mattermost instance be disrupted we can, if needed, quickly re-deploy the solution within our VPN.

Disruption due to influenza pandemic or infectious disease outbreak#

Effect: Reduced capacity to continue business operations.

Solution(s)

Mattermost, Inc. employs staff and engineers in multiple timezones and geographic areas, reducing the risk of significant disruption that an influenza pandemic or infectious disease outbreak would cause to business operations.

Priority 3: Outages greater than 72 hours impacting business continuity#

Outage of online CRM system#

Effect: Reduced ability to continue sales operations.

Solution(s)

While there is no current failover plan should our online CRM system become disrupted, we have SLAs with our CRM vendor - which is used by thousands of other organizations - and believe the probability of sustained outage is low.

Priority 4: Outages greater than 10 days impacting business continuity#

Outage of online HR and intranet systems#

Effect: Reduced ability to continue HR and internal operations.

Solution(s)

While there is no current failover plan should our online HR or intranet system become disrupted, we have SLAs with our vendors - which is used by thousands of other organizations - and believe the probability of sustained outage is low.

Attribution#

This section is derived from the Mattermost Handbook, licensed cc-by-nc. Repository on github: mattermost/mattermost-handbook