Bug Bounty Program

Here at NodeBB, we pride ourselves on producing high-quality and secure code, and we regularly put that to the test by utilising our own software1. However, no code is 100% perfect, and there might be some vulnerabilities and bugs that could critically impact running instances of NodeBB.

As of November 2017, we've launched a bug bounty program to supplement our efforts to find these vulnerabilities and to reward those who submit them to us for fixing. Security vulnerabilities can be reported to the NodeBB team by emailing security@nodebb.org.

We take every issue seriously, and aim to triage and deploy a fix as soon as possible.

Our mean time for a first response is: < 1 day.
Our mean time for a committed fix is: 2-3 days.

We will award bounties for verified and qualified vulnerabilities as follows:

  • Low ($0-$64)
    • e.g. Bugs and best-practice violations that do not strictly classify as a vulnerability
  • Medium ($128)
    • e.g. CSRF / exploit that causes a user to perform an operation they didn't explicitly consent to
    • e.g. Exposure of private user data or content (e.g. exposure of private posts or user email/IP address, etc.)
  • High — XSS exploits and account takeovers ($256)
  • Critical — exploit resulting in privilege escalation to admin, or downloading the site database ($512)

Notes and Limitations

  • Report all bugs to security@nodebb.org. Posts to our forum or emailed directly to someone at the NodeBB team may result in delays.
  • Please test and report against our testbed instance: https://try.nodebb.org . It runs the latest released NodeBB code, and is updated one day after the latest release.
  • Do not send videos of the vulnerability – we are unable to view videos linked due to our company security policy. Please provide reproduction steps as completely as possible, or a proof-of-concept command/code if applicable.
    • e.g. If we have a vulnerability in our API, send us a curl command that successfully demonstrates the vulnerability
  • All other associated properties of NodeBB (e.g. main website, SaaS portal, etc.) do not qualify for the bug bounty, only vulnerabilities confirmed on https://try.nodebb.org are eligible.
  • We reserve the right to reject a vulnerability report if it has been reported by someone else before you.
  • Social engineering attacks and physical attacks are not covered under the bug bounty umbrella
  • Shell breakout and local file access vulnerabilities are judged based on access to an unprivileged shell account. Privilege escalation to root user on an affected system is outside of NodeBB's scope.
    • We understand that if NodeBB were installed and executed under the root user, then a shell breakout could have disastrous results, but we caution against this in our documentation, and ultimately it is the responsibility of the system administrator to ensure that NodeBB is running with as few privileges as possible.
  • Only the core code and bundled plugins qualify for the bug bounty. Third-party plugins are not covered. The following modules are considered "bundled":
    • nodebb-plugin-composer-default
    • nodebb-plugin-dbsearch
    • nodebb-plugin-emoji
    • nodebb-plugin-markdown
    • nodebb-plugin-mentions
    • nodebb-plugin-soundpack-default
    • nodebb-plugin-spam-be-gone
    • nodebb-rewards-essentials
    • nodebb-theme-lavender
    • nodebb-theme-persona
    • nodebb-theme-slick
    • nodebb-theme-vanilla
    • nodebb-widget-essentials

We'll do our best to prioritise security issues over any other issues at NodeBB, so we would kindly ask you to hold off on disclosure until a time is agreed-upon (typically 30-90 days).


1 Actually, it'd be a little sad if we didn't, wouldn't it?

Past Bounties

The following vulnerabilities have been identified and resolved. They are disclosed below for transparency reasons, as well as to reward those users who have spent time and effort to discover them.

Date Type Description Reporter Severity Notes
16/8/2017 XSS XSS in chat using an SVG tag as payload Jigar Thakkar High ($256) Resolved in df069ee, released in v1.6.0
16/8/2017 Bug window.opener is defined in target="_blank" links Jigar Thakkar High ($256) https://mathiasbynens.github.io/rel-noopener
Fixed in Markdown and IFramely plugins
16/8/2017 Bug Password reset route needs brute force prevention measures Jigar Thakkar Medium ($128) Fixed in v1.6.0
16/8/2017 XSS XSS in Moderation Note at user info page Jigar Thakkar High ($256) Fixed in dc9b210, released in v1.6.0
15/9/2017 Bug Information disclosure in groups api Andrew Cook Medium ($128) Fixed in https://github.com/NodeBB/NodeBB/commit/4c0d4308192d754d51ef4f9a0b831cb2f64ca81d, released in v1.6.1
9/10/2017 XSS XSS on outgoing url click (javascript: protocol payload) Larry Yuan Medium ($128) Fixed in https://github.com/NodeBB/NodeBB/commit/72502ff9923ed7d467209bc398635f55bad4be2a, released in v1.6.1
13/10/2017 XSS XSS in flag list and details page Private Party N/A Fixed in https://github.com/NodeBB/NodeBB/commit/b44cfacda1800ff193987fabd1a64a22fd7a981d, released in v1.7.0
31/10/2017 XSS Stored XSS due to vulnerable image upload handling Alexander Antukh High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/18f4f27fe0757ca11e4d54ab8ed38dc02ab3dbbb, released in v1.7.0
8/11/2017 Bug Unintentional leakage of private user information in users API Artur Matczak Medium ($128) Fixed as part of https://github.com/NodeBB/NodeBB/issues/5804, released in v1.7.0
29/11/2017 Bug Message retrieval via socket (mid) doesn't check uid Alexander Antukh Medium ($128) Fixed in b19310049d9c2e55f88b05a25fafff3e7752e6cf, released in v1.7.2
30/11/2017 XSS Stored XSS in x-forwarded-for, X-Forwarded-For: <script>alert("XSS")</script> Alexander Antukh High ($256) Fixed in a7a3f3619b070ce000c91321f13eb38e561fdc4b, released in v1.7.2
1/12/2017 XSS Stored XSS in the admin panel (registration queue), script in email field Alexander Antukh High ($256) Fixed in e3fd4020706ae1e44c92bc3da1b0385d628c503f, released in v1.7.2
1/12/2017 Bug User list CSV DoS if referenced as image and pasted many many times Alexander Antukh Medium ($128) Fixed in e6d31c8bd212d46272864103896728b70602c2da, released in v1.7.2
11/12/2017 Bug Information disclosure (IP addresses) via post-geolocation Artur Antczak Medium ($128) Fixed in NodeBB/nodebb-plugin-post-geolocation@168e5c2e417127ef1995259230f61cecdedbac17
14/12/2017 Bug Image upload by URL can leak port status via reflection Private Report Fixed in 88b47f357bd340955264bd2e5130805259285ed0, released in v1.7.3
15/1/2018 Bug Reset token contained in Referer header when navigating to external links Ali Razzaq Low ($64) Fixed in f138d3cb70e96a6124c543092397c907d959d9d5, released in v1.7.4
20/2/2018 Bug Token leak in referer header from external resources loaded in reset confirmation page Private Report Low ($64) Fixed in 7edc58b727781ac6a1097ebe4b8789f4afcfc02d, released in v1.8.0
21/2/2018 Bug Strict transport security not enforced Private Report Low ($64) Fixed in 98b0bdc7e10dcaa524ca9476ee5262242d2a6ebc, released in v1.8.0
26/3/2018 Bug Password Policy not enforced in password reset route Mohammed Abdul Raheem Low ($64) Fixed in 9aa9183cc3e90d0bbd9e94e7612b264ed6d00c9a, released in v1.8.2
3/4/2018 Bug window.opener exposed on outgoing links opened in new tab Albin Thomas Low ($64) Fixed in 5593a3e9ad60e0dbfaeb3232ac899ad0da1eea45, released in v1.8.2
12/4/2018 XSS Emoji are not sanitized when put into a link or image URL. Larry Yuan Very Low ($0, not exploitable) Fixed and released in nodebb-plugin-emoji-extended@2.2.2
3/6/2018 Bug Window opener is available if user specifies opening of external links in new tab (noopener not adhered to by ajaxify) Albin Thomas Low ($64) Fixed in a3e724e134894860c607e5a9980a308684288c57, released in v1.10.0
5/6/2018 CSRF SSO implementation missing CSRF/state/nonce protection Larry Yuan High ($256) Fixed in ec91ef1c644044bba44198b031913655e784b4bb, released in v1.10.0
11/6/2018 XSS XSS in Chat "roomName" parameter Alexander Antukh Very Low/Not Exploitable ($0) Fixed in c91b96c13329b06580a6507079e2aab402fa6838, released in v1.10.0
22/6/2018 XSS XSS in upload from url Piyush Malik Low ($64) Fixed in 742ddd358be418ab7eb4dc8c80230b0f7b30f912, released in v1.10.0
26/6/2018 XSS XSS in composer route Huzaifa Jawaid High ($256) Fixed in nodebb-plugin-composer-default#6fb80e437b77ff17a719fd24d6c723f143dd4ccd, released in v1.10.0
29/6/2018 Other Missing session revocation on email change Shammam Raza Low ($64) Fixed in 7e6007e1464fbfeb53151002897466bbaeae2799, released in v1.10.1
3/7/2018 Bug Socket user.deleteAccount has no server-side checks for password correctness Chakri Low ($64) Fixed in fb42862ec7a5a3d6a18cbf402818910eb9661129, released in v1.10.1
4/7/2018 Bug Reset code leaked to third-party analytics, etc. due to presence in path Yeasir Arafat Low ($64) Fixed in f09b1acfb74840c4e1350e80e8aad2f0ace81781, released in v1.10.1
11/7/2018 Bug Change password/email routes do not have brute force protection for password Vicky Vk Very Low/Not Exploitable ($0) Fixed in 7558046e757640e99614aa88df4998bdb362d16b, released in v1.10.2
5/9/2018 XSS XSS in Post Queue Artur Matczak High ($256) Fixed in 446b125c835dc508553a9aab89d0d33a6affdac7, released in v1.10.2
10/9/2018 Bug Uploading large image hangs nodebb Buğra Eskici Low ($64) Fixed in PR #6774, released in v1.10.2
21/12/2018 Bug 2FA can be disabled on login screen Buğra Eskici Low ($64) Fixed in 2factor plugin
16/01/2019 Other Local file traversal vulnerability Jacopo Gallelli Critical ($512) Fixed in https://github.com/NodeBB/NodeBB/pull/7259, released in v1.12.0
21/09/2019 XSS SVG upload as cover with malicious js Qing Wang High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/96ab8d05aa768348f2ef83dce83b7fd4f7e6c8cf, released in v1.13.0
16/12/2019 Bug Composer open redirection Patrick Philip Sanchez Low ($64) Fixed in composer@1467d6c210bd7bd6135c41bc2aa23d774100e1d4, released in v1.13.1
7/1/2020 Privilege Escalation Privilege escalation to admin opliko Critical ($512+) Fixed in https://github.com/NodeBB/NodeBB/commit/61da8c29ac1a407e65bf5702c4dd4f212aa443ca, released in v1.13.2
11/1/2020 Bug XSS in language field on settings page Numan Turle Low ($64) Fixed in https://github.com/NodeBB/NodeBB/commit/e06c1bfcd2fa45beda54ff82e53efa4521b5f32b, released in v1.13.2
15/1/2020 XSS XSS in topic thumb upload Numan Turle High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/b7a57996f75837aac5bf248bac02e3b46dc54120, released in v1.13.2
17/1/2020 XSS XSS on user settings page homepageRoute/bootswatchSkin Numan Turle Low ($64) Fixed in https://github.com/NodeBB/NodeBB/commit/b0f3e48ac2ede6737e22f333ae6d7bbde126f16a, released in v1.13.2
15/1/2020 XSS XSS on flags state page Numan Turle Low ($64) Fixed, released in v1.13.2
18/1/2020 Other Local file deletion by admin/gmod only Numan Turle How ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/153b1a0eaaa9fb94f43cab6781921709fc83f975, released in v1.13.2
19/1/2020 XSS XSS on `?register` query param Numan Turle High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/c8fb7f924657782165c05b71bd1ce15d5329090c, released in v1.13.2
19/1/2020 XSS XSS on room system messages Numan Turle High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/6a63c1a100fd03360947a6d5c4d7f0e596a4398e, released in v1.13.2
23/1/2020 Bug Hidden email leak when creating flag Numan Turle Low ($64) Fixed in https://github.com/NodeBB/NodeBB/commit/418c174d56a5e53f174cd531719b291522470b23, released in v1.13.2
24/1/2020 Privilege Escalation Ability to change owner without permission Numan Turle High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/0ae1eb4f6e20b73067fd7fb175b9d975ec43f145, released in v1.13.2
25/1/2020 XSS XSS by global mod in ip blacklist Numan Turle High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/d927b763c1cd5a2325de83118a8076051731829f, released in v1.13.2
19/7/2020 Other Reverse tabnabbing in post images BugUsr Medium ($128) Fixed in https://github.com/NodeBB/NodeBB/commit/040e6a9a4c4393c27f5613ed7a25c9719a132b5b, released in v1.13.2
20/6/2020 Other Ability to delete files from local file system BugUsr Critical ($512+) Fixed in https://github.com/NodeBB/NodeBB/pull/8419, released in v1.14.0
20/6/2020 Other Ability to overwrite local files via admin upload BugUsr Critical ($512+) Fixed in https://github.com/NodeBB/NodeBB/pull/8419, released in v1.14.0
9/7/2020 Other Overwrite files with group cover image upload BugUsr Low ($64) Fixed in https://github.com/NodeBB/NodeBB/compare/c513b88dff57...73ddf1cb9890, released in v1.14.2
12/08/2020 Bug Privilege escalation via account takeover Muhammed Eren Uygun Critical ($512+) Fixed in https://github.com/NodeBB/NodeBB/commit/16cee1b03ba3eee177834a1fdac4aa8a12b39d2a, backported to v1.14.3