Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
CodeIgniter logo
Hall of Fame


CodeIgniter security research

CodeIgniter is a powerful open-source PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.

CodeIgniter recognizes the important contributions that the security community currently makes and can make in the future. We want to make sure that we find any security issues in our open-source project, so we can fix them as soon as possible! If you find vulnerabilities in our framework, we’ll be glad to hear about it here on HackerOne or in our security mailbox at

In scope

We are interested in all (security-related) bugs in our framework. The source code of CodeIgniter can be found on GitHub at ci/CodeIgniter __.

Security-related bugs about our website at are also welcome, but our main priority is our framework since it’s used by thousands of developers around the world who depend on it. If you decide to research our website, please do not use automated scanners and read the "out of scope" section carefully!

Out of scope

The CodeIgniter 2.x version tree is discontinued since October 31st, 2015.

Our sub-domain is out of scope due to many reports. If you did find vulnerabilities in the forum software anyway, we recommend to contact MyBB at __.

Furthermore, we are aware of the (missing) HTTP headers regarding security and caching, and their features. As well as similar features or settings regarding mail like SPF, DMARC and DKIM. Reports about this (even on in-scope domains) will be closed with N/A status.


A good report consists of:

  • a detailed explanation of the bug or vulnerability and the security risk and impact;
  • all relevant information about the used components e.g. classes, functions, parameters;
  • in case of cross-site scripting, the used browser version;
  • (optionally) a working proof-of-concept;


Unfortunately, we cannot offer any financial rewards, as CodeIgniter is a community-maintained project with practically no funding. But, we hope that public credit and the feeling of having done well may be gratifying.

Help our framework and score a “thanks” and new reputation points on HackerOne. If you find impressive vulnerabilities, we’d be happy to credit you in our changelog.

The CodeIgniter team

In Scope

Scope Type Scope Name


Out of Scope

Scope Type Scope Name

This program have been found on Hackerone on 2015-10-23.

FireBounty © 2015-2019

Legal notices