The security audit funded by GitLab only found one minor issue in Mattermost v1.0, which was the need to generate salts dynamically. This was added in the Mattermost System Console, and the GitLab omnibus installer does automatically when you deploy Mattermost.
The security review firm was surprised not to find anything significant for a v1.0 release, and actually spent extra time without charge looking.
One key thing to note about Mattermost is that source code is publicly available to security researchers (in addition to a suite of installers and VMs) and we have a Responsible Disclosure Policy for getting confidential reports of any security-related issues that can then be fixed responsibly.