Security Disclosure Policy.

Element greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect Element's user base from the impact of security issues.
On our side, this means:

  • We will respond to security incidents as a priority.
  • We will work with you to establish a disclosure time frame for the reported vulnerability. During this time frame, we will either work on a fix or decide to accept the risk, after which we will disclose the vulnerability.
  • We will always transparently let customers and the community know about any incident that affects them.
  • After disclosing the vulnerability, we will credit you for the report in our Security Hall of Fame if you wish.

In general, we will aim for a fix within 90 days of receiving your report, but we may propose a longer time frame (usually 120 days) on a case-by-case basis. In some cases, when a vulnerability is particularly disruptive and/or easy to exploit, we may delay publishing technical details for an additional period after the fix is publicly available (usually no longer than 30 days).

If you have found a security vulnerability in one of the projects from Element, we ask that you disclose it responsibly by emailing [email protected]. Optionally, if you want to encrypt your email, you can use our PGP key. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt, the security team will:

  • Review the report, verify the vulnerability and respond with confirmation and/or further information requests; we reply within 5 business days.
  • Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.

We only respond to emails that clearly describe the issue or vulnerability. Please provide detailed information in your initial contact for us to proceed effectively.

AGPL Exception

In the event of a newly-identified security vulnerability in an AGPL-licensed Element project ("Project"), we offer a temporary licensing exemption for an embargo period agreed between You and us, such period not to exceed 120 days (the "Embargo Period"). This exemption allows for the necessary patching of your instance without the immediate public disclosure of the modification, under these conditions:

  1. The modification performed on your instance ("Security Patch") addresses a security vulnerability ("Vulnerability") in the Project;
  2. Early disclosure of the Vulnerability would pose significant risks to users (as determined by us);
  3. The Security Patch and related Vulnerability details are reported and disclosed to us and You engage in a coordinated disclosure process with us;
  4. The exemption is solely for the specific Security Patch for the particular Vulnerability that was reported to us and does not apply to other modifications; and
  5. The source code of the final patch, be it the Security Patch or an alternate version developed by us addressing the same Vulnerability, will be made publicly available by us at the end of the Embargo Period.