20180 policies in database
Link to program      
Phabricator logo


300 $ 


Security is serious business, just like Phabricator. If you can find a security vulnerability in the project, we’ll reward you with cold, hard cash. The cash will be transmitted electronically, so it will be cold and hard only figuratively.



  • IMPORTANT: DO NOT TEST secure.phabricator.com. Do not test an install of Phabricator that you do not own. This includes secure.phabricator.com and any other existing install you might find. If you report an issue against secure.phabricator.com or another install you do not own, it will not be accepted. Instead, install a local copy of Phabricator. This will let you test Phabricator without disrupting other users.

  • IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY. Do not report configuration issues with phabricator.org, phabricator.com, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the Phabricator software itself.

  • For instructions on installing a local copy of Phabricator, see the Installation Guide.

  • We receive many reports (significantly more than 50%) from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word "mongoose" somewhere in your report. If you do not, your report will be closed as "Not Applicable".

The Fine Print


  • Responsibly disclose a previously unknown vulnerability directly to us.

  • This vulnerability must significantly compromise the security of a typical Phabricator installation.

  • Denial of Service and Social Engineering attacks are unlikely to qualify unless particularly clever.

  • Vulnerabilities in Arcanist, libphutil, and Javelin are in scope.

  • Vulnerabilities in other bundled dependencies (in externals/ directories) qualify if they affect a typical Phabricator installation, but are less interesting than vulnerabilities in Phabricator itself.

Getting Started


  • You can find the source and start looking for vulnerabilities on GitHub.

  • Phabricator has more than 300,000 lines of PHP, so there are probably at least sixty or seventy million security vulnerabilities in the project. Virtually limitless wealth!

Response Timeline


  • We will respond to reports within 24 hours.

  • We will fix security issues within 24 hours of confirming them.

Bounty Range: ~$300 - $3,000, based on severity.

Firebounty have crawled on 2013-12-03 the program Phabricator on the platform Hackerone.

FireBounty © 2015-2021

Legal notices