We take security very seriously at Discourse. We welcome any peer review of our 100% open source code (https://github.com/discourse/discourse) to ensure nobody's Discourse forum is ever compromised or hacked.
- We are not interested in social engineering reports
- We are not interested in version disclosure reports
- We are not interested in HTTP sniffing or HTTP tampering exploits, the https://try.discourse.org sandbox is HTTPS and you can assume all live Discourse instances will be HTTPS.
- We will triage into:
- Medium — CSRF / exploit that causes a user to perform an operation they didn't explicitly consent to
- High — XSS exploits
- Critical — exploit resulting in privilege escalation to admin, or downloading the site database
- We will publicly acknowledge any report that results in a security commit to https://github.com/discourse/discourse
- Security issues always take precedence over bug fixes and feature work. We can and do mark releases as "urgent" if they contain serious security fixes.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Discourse staff or contractors
- Any physical attempts against Discourse property or data centers
Thank you for helping keep Discourse and our users safe!
Hall of Fame