CodeIgniter
CodeIgniter security research
--
CodeIgniter is a powerful open-source PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
CodeIgniter recognizes the important contributions that the security community currently makes and can make in the future. We want to make sure that we find any security issues in our open-source project, so we can fix them as soon as possible! If you find vulnerabilities in our framework, we’ll be glad to hear about it here on HackerOne or in our security mailbox at security@codeigniter.com.
In scope
--
We are interested in all (security-related) bugs in our framework. The source code of CodeIgniter can be found on GitHub at https://github.com/bcit-ci/CodeIgniter.
Security-related bugs about our website at codeigniter.com are also welcome, but our main priority is our framework since it’s used by thousands of developers around the world who depend on it. If you decide to research our website, please do not use automated scanners and read the "out of scope" section carefully!
Out of scope
--
The CodeIgniter 2.x version tree is discontinued since October 31st, 2015.
Our sub-domain forum.codeigniter.com is out of scope due to many reports. If you did find vulnerabilities in the forum software anyway, we recommend to contact MyBB at https://www.mybb.com/get-involved/security/.
Furthermore, we are aware of the (missing) HTTP headers regarding security and caching, and their features. As well as similar features or settings regarding mail like SPF, DMARC and DKIM. Reports about this (even on in-scope domains) will be closed with N/A status.
Reporting
--
A good report consists of:
a detailed explanation of the bug or vulnerability and the security risk and impact;
all relevant information about the used components e.g. classes, functions, parameters;
in case of cross-site scripting, the used browser version;
(optionally) a working proof-of-concept;
Rewards
--
Unfortunately, we cannot offer any financial rewards, as CodeIgniter is a community-maintained project with practically no funding. But, we hope that public credit and the feeling of having done well may be gratifying.
Help our framework and score a “thanks” and new reputation points on HackerOne. If you find impressive vulnerabilities, we’d be happy to credit you in our changelog.
Regards,
The CodeIgniter team
| Scope Type | Scope Name |
|---|---|
| web_application | www.codeigniter.com |
| web_application | https://github.com/bcit-ci/CodeIgniter |
| Scope Type | Scope Name |
|---|---|
| web_application | forum.codeigniter.com |
This program have been found on Hackerone on 2015-10-23.
FireBounty © 2015-2024
