Bug Bounty Program

Here at NodeBB, we pride ourselves on producing high-quality and secure code, and we regularly put that to the test by utilising our own software1. However, no code is 100% perfect, and there are some vulnerabilities and bugs that could critically impact running instances of NodeBB.

As of November 2017, we've launched a bug bounty program to supplement our efforts to find these vulnerabilities and to reward those who submit them to us for fixing. Security vulnerabilities can be reported to the NodeBB team by emailing security@nodebb.org.

We take every issue seriously, and aim to triage and deploy a fix as soon as possible.

Our mean time for a first response is: < 1 day.
Our mean time for a committed fix is: 2-3 days.

We will award bounties for verified and qualified vulnerabilities as follows:

  • Medium ($128)
    • CSRF / exploit that causes a user to perform an operation they didn't explicitly consent to
    • Exposure of private user data or content (e.g. exposure of private posts or user email/IP address, etc.)
  • High — XSS exploits ($256)
  • Critical — exploit resulting in privilege escalation to admin, or downloading the site database ($512+)

Notes and Limitations

  • Report all bugs to security@nodebb.org. Posts to our forum or emailed directly to someone at the NodeBB team may result in delays.
  • Please test and report against our testbed instance: https://try.nodebb.org . It runs the latest released NodeBB code, and is updated one day after the latest release.
  • We reserve the right to reject a vulnerability report if it has been reported by someone else before you.
  • Social engineering attacks and physical attacks are not covered under the bug bounty umbrella
  • Only the core code and bundled plugins qualify for the bug bounty. Third-party plugins are not covered. The following modules are considered "bundled":
    • nodebb-plugin-composer-default
    • nodebb-plugin-dbsearch
    • nodebb-plugin-emoji
    • nodebb-plugin-markdown
    • nodebb-plugin-mentions
    • nodebb-plugin-soundpack-default
    • nodebb-plugin-spam-be-gone
    • nodebb-rewards-essentials
    • nodebb-theme-lavender
    • nodebb-theme-persona
    • nodebb-theme-slick
    • nodebb-theme-vanilla
    • nodebb-widget-essentials

We'll do our best to prioritise security issues over any other issues at NodeBB, so we would kindly ask you to hold off on disclosure until a time is agreed-upon (typically 30-90 days).

Footnotes

1 Actually, it'd be a little sad if we didn't, wouldn't it?


Past Bounties

The following vulnerabilities have been identified and resolved. They are disclosed below for transparency reasons, as well as to reward those users who have spent time and effort to discover them.

Date Type Description Reporter Severity Notes
16/8/2017 XSS XSS in chat using an SVG tag as payload Jigar Thakkar High ($256) Resolved in df069ee, released in v1.6.0
16/8/2017 Bug window.opener is defined in target="_blank" links Jigar Thakkar High ($256) https://mathiasbynens.github.io/rel-noopener
Fixed in Markdown and IFramely plugins
16/8/2017 Bug Password reset route needs brute force prevention measures Jigar Thakkar Medium ($128) Fixed in v1.6.0
16/8/2017 XSS XSS in Moderation Note at user info page Jigar Thakkar High ($256) Fixed in dc9b210, released in v1.6.0
15/9/2017 Bug Information disclosure in groups api Andrew Cook Medium ($128) Fixed in https://github.com/NodeBB/NodeBB/commit/4c0d4308192d754d51ef4f9a0b831cb2f64ca81d, released in v1.6.1
9/10/2017 XSS XSS on outgoing url click (javascript: protocol payload) Larry Yuan Medium ($128) Fixed in https://github.com/NodeBB/NodeBB/commit/72502ff9923ed7d467209bc398635f55bad4be2a, released in v1.6.1
13/10/2017 XSS XSS in flag list and details page Private Party N/A Fixed in https://github.com/NodeBB/NodeBB/commit/b44cfacda1800ff193987fabd1a64a22fd7a981d, released in v1.7.0
31/10/2017 XSS Stored XSS due to vulnerable image upload handling Alexander Antukh High ($256) Fixed in https://github.com/NodeBB/NodeBB/commit/18f4f27fe0757ca11e4d54ab8ed38dc02ab3dbbb, released in v1.7.0
8/11/2017 Bug Unintentional leakage of private user information in users API Artur Matczak Medium ($128) Fixed as part of https://github.com/NodeBB/NodeBB/issues/5804, released in v1.7.0