Yeah, I looked at matrix and it's really cool. But: 1. recent security problems make it a hard sell to my manager, 2. People behind Matrix don't seem to care about getting this in commercial usage.
Sure that's bad, but it's not "RCE via iMessage" -bad. The attacker would need to already have access to your homeserver, and be connected to successfully pull off the attack. If that's a concern for you, it's not hard to put Matrix behind a VPN.
This is the part where I'd compare it to the CVEs of other popular messaging apps, but most of them don't have the confidence to be this transparent with their audience. YMMV, but "rolling your own" groupware isn't going to be safer than using an alternative supported by two or more users.
The vuln in question here is: “an attacker could take over an IRC channel where a Matrix bridge is present by confusing the bridge into merging it with a different channel”.
It isn’t a bug in Matrix itself, or Matrix servers or clients, but an IRC-specific thing in that IRC bridge implementation. It’s obviously a nasty bug from an IRC perspective, but it really doesn’t feel like something that should stop you promoting Matrix. It feels a bit like we are being penalised for being transparent on publicising security issues…
Meanwhile is https://element.io/matrix-services the people behind Matrix caring about getting this in commercial usage.