🔐 Security

Welcome to the Security space!

Purpose

The primary role of the Security Team – our Star Force – is to identify the risks the company faces and reduce them to an acceptable level. We ensure that security best practices are followed, safeguard the security of our applications, and proactively address new vulnerabilities and incidents. Our goal is to maintain the confidentiality, integrity, and availability of our services.

While the Security Team's mission is to safeguard both Rocket.Chat and our customers, this goal can only be realized through collaboration, making security everyone's responsibility across the organization.

Public Security Handbook

At Rocket.Chat, transparency is an important value - especially within our engineering team. Security should be no different. We are committed to being transparent and to opening, to an extent that is not harmful to our company, our security processes and documentation to the public. This helps other companies assessing Rocket.Chat gain a better understanding of our security maturity, as well as it helps to inspire other security teams when drafting their own processes and deciding whether to open them to the public. You can read more about it in our Transparency Commitment.

Structure

The structure of the Security Team can be divided into four main areas. While we do have specialists in each of these areas, it doesn’t mean that an Application Security Engineer can’t assist with GRC or Offensive Security, nor that an Offensive Security Engineer can’t support Incident Response, for example. These are simply the areas of focus for our Security Team, and as a team, we collaborate with each other as much as we can.

The activities of each area are divided as follows:

Offensive Security	Defensive Security	Application Security	Governance, Risk, and Compliance (GRC)

Offensive Security

Defensive Security

Application Security

Governance, Risk, and Compliance (GRC)

At Rocket.Chat, Red Team and Offensive Security are used interchangeably. It encompasses:

Phishing Campaigns
Adversary Simulation
Penetration Testing

At Rocket.Chat, Blue Team and Defensive Security are also used interchangeably. It encompasses:

Incident Response
Threat Hunting
Threat Intelligence
Security Monitoring
Identity & Access Management (IAM)
Cloud Security

Application Security or simply AppSec encompasses:

Vulnerability Scanning (SAST, DAST, SCA, Secrets)
Vulnerability Management
Threat Modeling
Code Review

GRC encompasses:

Policy Management
Risk Management
Regulatory Compliance
Security Training

Communication and Information

Discussion Channels

RC security channel - day-to-day conversation, invite on request
RC important - company-wide announcements, including security updates
RC-security-team - team-internal conversations, all team members are added during onboarding

Mailing Lists

Compliance

Security-Compliance Trust Page

Vulnerability Disclosure

Vulnerability Reports & Disclosure

Policies

See Security Policies