Security

This page documents how to report a security vulnerability in Matome and what you can expect in return. Matome processes Gmail content under Google's restricted-scope policy, so we treat security reports as a first-class input.

1. Reporting a vulnerability

Email security@matome.ai with a description of the issue, the steps to reproduce, and the impact you observed. If you have proof-of-concept code or screenshots, include them — we will not retaliate against good-faith research conducted under this policy. A machine-readable copy of this contact lives at /.well-known/security.txt.

2. Disclosure policy

We follow coordinated disclosure. Please report privately first, give us a reasonable window to remediate, and refrain from public disclosure until a fix has shipped. Our default coordination window is 90 days from initial report; we will negotiate a shorter or longer window in good faith based on severity and complexity. Public credit will be offered if you would like it.

Good-faith research conducted under this policy is welcome and is not a violation of our Terms of Service.

3. In scope

The following are in scope for this disclosure policy:

• The Matome web application at matome.ai and any direct subdomains we operate.
• The Google OAuth flow, consent screen, and token-handling endpoints.
• The digest pipeline, classification pipeline, and SendGrid send path.
• The self-serve account export and account deletion endpoints (/api/account/export, /api/account/delete).
• The retention-purge cron and the audit-log subsystem.
• Authentication, session, IDOR, authorization, and Row-Level-Security bypass classes.
• Secret leakage, including in logs, error messages, exports, or static assets.

4. Out of scope

The following are out of scope and reports limited to these classes will be closed without further investigation:

• Social engineering, phishing of Matome staff, or physical attacks against any person or facility.
• Denial-of-service, volumetric load testing, or rate-limit stress tests.
• Vulnerabilities in third-party services Matome depends on (Supabase, Vercel, OpenAI, SendGrid, Google) — please report those directly to the vendor.
• Automated scanner output without a working proof-of-concept demonstrating impact.
• Missing best-practice headers, missing rate limits on unauthenticated endpoints, or missing CSP directives without an exploit chain.
• Clickjacking on pages without sensitive state-changing actions.
• Self-XSS, or attacks requiring an already-compromised browser, device, or Google account.

5. Response timeline

What you can expect once a report reaches us:

• Acknowledgment: within 3 business days.
• Triage decision: within 7 business days — we will tell you whether we accept, dispute, or need more information.
• Remediation target: Critical severity within 7 days; High within 30 days; Medium within 60 days; Low on a best-effort schedule.

6. No bug bounty

Matome does not currently operate a paid bug bounty program. We deeply appreciate good-faith reports and will publicly credit researchers on request, but we cannot offer monetary rewards at this time.

7. Security posture

Brief summary of the controls behind the Service. The full retention and storage details live in our Privacy Policy.

• TLS 1.2+ in transit; AES-256 at the disk layer.
• Application-layer AES-256-GCM encryption of OAuth refresh and access tokens.
• Newsletter bodies are nulled 7 days after receipt by the daily retention-purge cron.
• Append-only audit log of consent grants, exports, and deletions.
• Row-level security policies on every user-data table as a forensic backstop.
• Self-serve account export and deletion; deletion is immediate and removes all linked data in a single transaction.

Last updated: April 2026