Are there any security audit findings for Mattermost that can be published?
A couple of blog posts refer to a MM security audit:
This post announcing the tie-in with Gitlab, which says Gitlab will fund an external audit.
The 1.0 release announcement says MM has passed a security audit, but the reference doesn’t provide any audit findings.
For context, we’re doing a bake-off between Mattermost and Hipchat, and any evidence or findings from a security audit would be very helpful in making the case for Mattermost.
The security audit funded by GitLab only found one minor issue in Mattermost v1.0, which was the need to generate salts dynamically. This was added in the Mattermost System Console, and the GitLab omnibus installer does automatically when you deploy Mattermost.
The security review firm was surprised not to find anything significant for a v1.0 release, and actually spent extra time without charge looking.
One key thing to note about Mattermost is that source code is publicly available to security researchers (in addition to a suite of installers and VMs) and we have a Responsible Disclosure Policy for getting confidential reports of any security-related issues that can then be fixed responsibly.