We welcome review of our 100% open source code, and our public instance at https://try.discourse.org, to ensure the safety and security of Discourse forums across the world.

Code of Conduct

Only test against https://try.discourse.org. Reports of issues against other URLs are likely to be closed as ineligible.

Throughout your research, you must make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

We also ask that you refrain from:

• Denial of service attacks

• Spamming

• Social engineering (including phishing) of Discourse staff or contractors

• Any physical attempts against Discourse property or data centers

Disclosure

As an Open Source project, we will make security fixes public as soon as reasonably possible, and aim to publish advisories and/or CVEs for severe issues. We are generally happy to credit researchers in these announcements.

You must wait 90 days after the fix is released before publicly disclosing any information about the vulnerability, your research methods, or how it may be exploited.

Severity

We use a number of factors to determine the severity of an issue. These include:

• The number of sites/users that are likely to be vulnerable

• The impact to the affected system's confidentiality, integrity, and availability

• The conditions required for the exploit to be successful

• The access level required in order to exploit

The severity will be decided at the sole discretion of the Discourse team. As a guide, here are some examples of vulnerabilities which may fall into each category:

Low ($256)

• Perform a trivial action which should not be permitted

Medium ($512)

• CSRF which causes a user to perform an operation they didn't explicitly consent to

• Stored XSS which is mitigated by Discourse's default CSP

• Access to metadata about private topic/post content

High ($1024)

• Stored XSS which is not mitigated by Discourse's default CSP

• SSRF to an internal IP address

• Access to private topic/post content

Critical ($2048+)

• Privilege escalation to admin

• Unrestricted access to the database (e.g. via backups)

• Remote code execution

• Accessing data relating to another site in a multi-tenant environment

Ineligible vulnerability types

• SSRF - Discourse includes features (e.g. Onebox) which deliberately allow end-users to initiate server-side requests to external resources. SSRF reports will only be considered eligible if they allow requests to be made to IPs in a private range.

• Admin-initiated Stored XSS - Discourse administrators are permitted to add and modify JavaScript on the site. If an XSS is only exploitable by administrators, then it is not eligible

• Admin-initiated denial-of-service - Discourse administrators are permitted to control all aspects of a site. An admin-initiated denial-of-service will only be considered eligible if it also denies service to other sites in a multi-tenant environment

• HTML Injection in posts - Users are permitted to enter basic HTML, including images, in Discourse posts, so this is not considered a vulnerability.

• Version Disclosure - Discourse includes its version in the <head> deliberately - we do not consider this a vulnerability

• Social Engineering (including Phishing) of Discourse customers, staff or contractors

• HTTP-only exploits - Our sandbox is HTTPS, and you can assume all live Discourse instances are also using HTTPS

Thank you for helping keep Discourse and our users safe!