Please email the details to Rocket.Chat's security team at firstname.lastname@example.org. You will then receive an e-mail with instruction on how to proceed with the disclosure.
Please refrain from requesting compensation for reporting vulnerabilities. If you want we will publicly acknowledge your responsible disclosure on our WhiteHat Hall of Fame. We also try to make the confidential issue public after the vulnerability is announced.
You are not allowed to search for vulnerabilities on Rocket.Chat's Community server. Rocket.Chat is open source software, you can install a copy yourself and test against that. If you want to perform testing without setting Rocket.Chat up yourself please contact us to arrange access to a staging server.
You can find more about how to contribute to our security here.