We take security very seriously at Discourse. We welcome any peer review of
our 100% open source code __to
ensure nobody's Discourse forum is ever compromised or hacked.
⚠️️ Only test and report against https://try.discourse.org
__-- reports against
any other URL will be closed as "Not Applicable." You have been warned.
- We are not interested in social engineering reports
- We are not interested in version disclosure reports
- We are not interested in HTTP sniffing or HTTP tampering exploits, our sandbox is HTTPS and you can assume all live Discourse instances will be HTTPS.
- We will triage into:
- Medium — CSRF / exploit that causes a user to perform an operation they didn't explicitly consent to ($256)
- High — XSS exploits ($512)
- Critical — exploit resulting in privilege escalation to admin, or downloading the site database ($1024+)
- We will publicly acknowledge any report that results in a security commit to https://github.com/discourse/discourse __or official Discourse plugins
- For an issue to be marked Medium, High or Critical it must result in a commit to a Discourse owned repository that repairs said issue.
- Security issues always take precedence over bug fixes and feature work. We can and do mark releases as "urgent" if they contain serious security fixes.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Discourse staff or contractors
- Any physical attempts against Discourse property or data centers
Thank you for helping keep Discourse and our users safe!