Matomo

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
737216887 APPLE_STORE_APP_ID low low low medium
Matomo Mobile 2 iOS App Only critical issues compromising the token are in scope.
https://github.com/innocraft/ SOURCE_CODE low medium low high
All other software on the innocraft GitHub organisation
https://github.com/matomo-org SOURCE_CODE low medium low high
All other software on the matomo-org GitHub organisation
https://github.com/matomo-org/matomo SOURCE_CODE critical
this repository contains the source code of Matomo Analytics
https://plugins.matomo.org/developer/innocraft SOURCE_CODE high high high critical
Official plugins by Innocraft
https://plugins.matomo.org/developer/matomo-org SOURCE_CODE high high high critical
Official plugins by the Matomo team
https://www.innocraft.cloud/ URL high high high critical
Matomo Analytics Cloud *username.innocraft.cloud* is also in scope, but please limit tests to ones that don't affect the live instance. (no automated tools) You can easily [set up your own Matomo instance] (https://matomo.org/docs/installation/) for extensive testing
org.piwik.mobile2 GOOGLE_PLAY_APP_ID low low low medium
Matomo Mobile 2 Android App Only critical issues compromising the token are in scope.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://api.matomo.org/ URL none high medium none
https://forum.matomo.org/ URL none
Please don't post test posts on the forum. The forum is using discourse, so please report any security issues [on their bug bounty](https://hackerone.com/discourse)
https://matomo.org/ URL none
Project website
https://plugins.matomo.org/ URL low low medium none
The Matomo Marketplace Platform is excluded from this bug bounty
https://shop.matomo.org/ URL none