Bug Bounty

Here at NodeBB, we pride ourselves on producing high-quality and secure code, and we regularly put that to the test by utilising our own software1. However, no code is 100% perfect, and there might be some vulnerabilities and bugs that could critically impact running instances of NodeBB.

As of November 2017, we’ve launched a bug bounty program to supplement our efforts to find these vulnerabilities and to reward those who submit them to us for fixing. Security vulnerabilities can be reported to the NodeBB team by emailing security@nodebb.org.

We take every issue seriously, and aim to triage and deploy a fix as soon as possible.

Our mean time for a first response is: < 1 day.
Our mean time for a committed fix is: 2-3 days.

We will award bounties for verified and qualified vulnerabilities as follows:

  • Low ($0-$64)
    • e.g. Bugs and best-practice violations that do not strictly classify as a vulnerability
  • Medium ($128)
    • e.g. CSRF / exploit that causes a user to perform an operation they didn’t explicitly consent to
    • e.g. Exposure of private user data or content (e.g. exposure of private posts or user email/IP address, etc.)
  • High — XSS exploits and account takeovers ($256)
  • Critical — exploit resulting in privilege escalation to admin, or downloading the site database ($512)

Notes and Limitations

  • 🚨 The only valid testing endpoint is https://try.nodebb.org 🚨
    • Report all vulnerabilities/bugs to security@nodebb.org. Posts to our forum or emailed directly to someone at the NodeBB team may result in delays.
    • It runs the latest released NodeBB code, and is reset and updated daily. Reports made against other endpoints will be marked as invalid.
    • All other associated properties of NodeBB (e.g. main website, SaaS portal, etc.) do not qualify for the bug bounty, only vulnerabilities confirmed on https://try.nodebb.org are eligible.
  • Do not send videos of the vulnerability – we are unable to view videos linked due to our company security policy. Please provide reproduction steps as completely as possible, or a proof-of-concept command/code if applicable.
    • e.g. If we have a vulnerability in our API, send us a curl command that successfully demonstrates the vulnerability
  • We reserve the right to reject a vulnerability report if it has been reported by someone else before you.
  • Social engineering attacks and physical attacks are not covered under the bug bounty umbrella
  • Vulnerability due to an outdated dependencies is typically not covered, but will be judged on a case-by-case basis (usually based on perceived impact)
  • Shell breakout and local file access vulnerabilities are judged based on access to an unprivileged shell account. Privilege escalation to root user on an affected system is outside of NodeBB’s scope.
    • We understand that if NodeBB were installed and executed under the root user, then a shell breakout could have disastrous results, but we caution against this in our documentation, and ultimately it is the responsibility of the system administrator to ensure that NodeBB is running with as few privileges as possible.
  • Only the core code and bundled plugins qualify for the bug bounty. Third-party plugins are not covered. The following modules are considered “bundled”:
    • nodebb-plugin-2factor
    • nodebb-plugin-composer-default
    • nodebb-plugin-dbsearch
    • nodebb-plugin-emoji
    • nodebb-plugin-markdown
    • nodebb-plugin-mentions
    • nodebb-plugin-soundpack-default
    • nodebb-plugin-spam-be-gone
    • nodebb-rewards-essentials
    • nodebb-theme-lavender
    • nodebb-theme-persona
    • nodebb-theme-slick
    • nodebb-theme-vanilla
    • nodebb-widget-essentials

If you are unsure about any of the above limitations, please reach out to us at security@nodebb.org (or use the contact form). We want to empower people to find and disclose vulnerabilities while reducing wasted time (on our part and yours!) as much as possible.

We’ll do our best to prioritise security issues over any other issues at NodeBB, so we would kindly ask you to hold off on disclosure until a time is agreed-upon (typically 30-90 days).

Footnotes

1 Yes, of course we dogfood our own product! It’d be a little sad if we didn’t, wouldn’t it?