Bug Bounty Program

Here at NodeBB, we pride ourselves on producing high-quality and secure code, and we regularly put that to the test by utilising our own software1. However, no code is 100% perfect, and there might be some vulnerabilities and bugs that could critically impact running instances of NodeBB.

As of November 2017, we’ve launched a bug bounty program to supplement our efforts to find these vulnerabilities and to reward those who submit them to us for fixing. Security vulnerabilities can be reported to the NodeBB team by emailing security@nodebb.org.

We take every issue seriously, and aim to triage and deploy a fix as soon as possible.

Our mean time for a first response is: < 1 day.
Our mean time for a committed fix is: 2-3 days.

We will award bounties for verified and qualified vulnerabilities as follows:

  • Low ($0-$64)
    • e.g. Bugs and best-practice violations that do not strictly classify as a vulnerability
  • Medium ($128)
    • e.g. CSRF / exploit that causes a user to perform an operation they didn’t explicitly consent to
    • e.g. Exposure of private user data or content (e.g. exposure of private posts or user email/IP address, etc.)
  • High — XSS exploits and account takeovers ($256)
  • Critical — exploit resulting in privilege escalation to admin, or downloading the site database ($512)

Notes and Limitations

  • 🚨 The only valid testing endpoint is https://try.nodebb.org 🚨
    • Report all vulnerabilities/bugs to security@nodebb.org. Posts to our forum or emailed directly to someone at the NodeBB team may result in delays.
    • It runs the latest released NodeBB code, and is reset and updated daily. Reports made against other endpoints will be marked as invalid.
    • All other associated properties of NodeBB (e.g. main website, SaaS portal, etc.) do not qualify for the bug bounty, only vulnerabilities confirmed on https://try.nodebb.org are eligible.
  • Do not send videos of the vulnerability – we are unable to view videos linked due to our company security policy. Please provide reproduction steps as completely as possible, or a proof-of-concept command/code if applicable.
    • e.g. If we have a vulnerability in our API, send us a curl command that successfully demonstrates the vulnerability
  • We reserve the right to reject a vulnerability report if it has been reported by someone else before you.
  • Social engineering attacks and physical attacks are not covered under the bug bounty umbrella
  • Vulnerability due to an outdated dependencies is typically not covered, but will be judged on a case-by-case basis (usually based on perceived impact)
  • Shell breakout and local file access vulnerabilities are judged based on access to an unprivileged shell account. Privilege escalation to root user on an affected system is outside of NodeBB’s scope.
    • We understand that if NodeBB were installed and executed under the root user, then a shell breakout could have disastrous results, but we caution against this in our documentation, and ultimately it is the responsibility of the system administrator to ensure that NodeBB is running with as few privileges as possible.
  • Only the core code and bundled plugins qualify for the bug bounty. Third-party plugins are not covered. The following modules are considered “bundled”:
    • nodebb-plugin-2factor
    • nodebb-plugin-composer-default
    • nodebb-plugin-dbsearch
    • nodebb-plugin-emoji
    • nodebb-plugin-markdown
    • nodebb-plugin-mentions
    • nodebb-plugin-soundpack-default
    • nodebb-plugin-spam-be-gone
    • nodebb-rewards-essentials
    • nodebb-theme-lavender
    • nodebb-theme-persona
    • nodebb-theme-slick
    • nodebb-theme-vanilla
    • nodebb-widget-essentials

If you are unsure about any of the above limitations, please reach out to us at security@nodebb.org (or use the contact form). We want to empower people to find and disclose vulnerabilities while reducing wasted time (on our part and yours!) as much as possible.

We’ll do our best to prioritise security issues over any other issues at NodeBB, so we would kindly ask you to hold off on disclosure until a time is agreed-upon (typically 30-90 days).


1 Yes, of course we dogfood our own product! It’d be a little sad if we didn’t, wouldn’t it?

Hall of Fame (Past Bounties)

The following vulnerabilities have been identified and resolved. They are disclosed below for transparency reasons, as well as to reward those users who have spent time and effort to discover them.
DateTypeDescriptionReporterFixed in
16/8/2017XSSXSS in chatJigar Thakkar1.6.0
16/8/2017Bugwindow.opener is defined in target="_blank" linksJigar ThakkarN/A
16/8/2017BugPassword reset route needs brute force prevention measuresJigar Thakkar1.6.0
16/8/2017BugPassword reset tokens should expire if email changedJigar Thakkar1.6.0
18/8/2017XSSXSS in Moderation Note at /user//infoJigar Thakkar1.6.0
15/9/2017Buginformation disclosure in groups apiAndrew Cook1.6.1
9/10/2017XSSXSS on outgoing url click (javascript: protocol payload)Larry Yuan1.6.1
13/10/2017XSSXSS in flag list and details pagePrivate Report1.7.0
31/10/2017XSSStored XSS due to vulnerable image upload handlingAlexander Antukh1.7.0
8/11/2017BugUnintentional leakage of private user information in users APIArtur Matczak1.7.0
29/11/2017BugMessage retrieval via socket (mid) doesn't check uidAlexander Antukh1.7.2
30/11/2017XSSStored XSS in x-forwarded-forAlexander Antukh1.7.2
1/12/2017XSSStored XSS in the admin panel (registration queue), script in email fieldAlexander Antukh1.7.2
1/12/2017BugUser list CSV DoS if referenced as image and pasted many many timesAlexander Antukh1.7.2
14/12/2017BugImage upload by URL can leak port status via reflectionPrivate Report1.7.3
11/12/2017BugInformation disclosure (IP addresses) via post-geolocationArtur Matczak1.7.3
15/1/2018BugReset token contained in Referer header when navigating to external linksAli Razzaq1.7.4
20/2/2018BugToken leak in referer header from external resources loaded in reset confirmation pagePrivate Report1.8.0
21/2/2018BugStrict transport security not enforcedPrivate Report1.8.0
26/3/2018BugPassword Policy not enforced in password reset routeMohammed Abdul Raheem1.8.2
3/4/2018Bugwindow.opener exposed on outgoing links opened in new tabAlbin Thomas1.8.2
3/4/2018CSRFno csrf in sso disassociateLarry Yuan
12/4/2018XSSEmoji are not sanitized when put into a link or image URL.Larry Yuan(1.9.0)
3/6/2018BugWindow opener is available if user specifies opening of external links in new tab (noopener not adhered to by ajaxify)Albin Thomas1.10.0
5/6/2018Othernodebb.org domain missing DMARC record, SPF is set to softfailMohammed Abdul RaheemN/A
5/6/2018CSRFSSO implementation missing CSRF/state/nonce protectionLarry Yuan1.10.0
11/6/2018XSSXSS in Chat "roomName" parameterAlexander Antukh1.10.0
22/6/2018XSSXSS in upload from urlPiyush Malik1.10.0
26/6/2018XSSXSS in composer routeHuzaifa Jawaid1.10.0
29/6/2018OtherMissing session revocation on email changeShammam Raza1.10.1
3/7/2018BugSocket user.deleteAccount has no server-side checks for password correctnessChakri1.10.1
4/7/2018BugReset code leaked to third-party analytics, etc. due to presence in pathYeasir Arafat1.10.1
11/7/2018BugChange password/email routes do not have brute force protection for passwordVicky Vk1.10.2
5/9/2018XSSpost queue xssArtur Matczak1.10.2
10/9/2018BugUploading large image hangs nodebbBuğra Eskici1.10.2
21/12/2018Bug2fa can be disabled on login screenBuğra Eskici1.12.0
16/01/2019OtherLocal file traversalJacopo Gallelli1.12.0
21/09/2019XSSSVG upload as cover with malicious jsQing Wang1.13.0
30/11/2019BugUser profile page shows content of deleted postsYossi Zahn1.13.1
16/12/2019BugComposer open redirectionPatrick Philip Sanchez1.13.1
7/1/2020Privilege EscalationPrivilege escalation to admin opliko1.13.2
11/1/2020Bugxss in language field on settings pageNuman Turle1.13.2
15/1/2020XSSxss in topic thumb uploadNuman Turle1.13.2
17/1/2020Bugxss on user settings page homepageRoute/bootswatchSkinNuman Turle1.13.2
15/1/2020Bugxss on flags state pageNuman Turle1.13.2
18/1/2020Otherlocal file deletion by admin/gmod onlyNuman Turle1.13.2
19/1/2020XSSxss on ?register query paramNuman Turle1.13.2
19/1/2020XSSxss on room system messagesNuman Turle1.13.2
23/1/2020Bughidden email leak when creating flagNuman Turle1.13.2
24/1/2020Privilege Escalationability to change owner without permissionNuman Turle1.13.2
25/1/2020XSSxss by global mod in ip blacklistNuman Turle1.13.2
19/07/2020OtherReverse tabnabbing in post imagesBugUsr1.14.0
19/06/2020OtherLong-lived profiles expose DoS capability via profile exportBoomzilla
20/06/2020OtherAbility to delete files from local file systemBugUsr1.14.0
20/06/2020OtherAbility to overwrite local files via admin uploadBugUsr1.14.0
9/7/2020OtherOverwrite files with group cover image uploadBugUsr1.14.2
12/8/2020Privilege EscalationPrivilege escalation via account takeoverMuhammed Eren Uygun1.14.3
24/09/2020OtherAble to install arbitrary git repos via ACP plugins systemNuman Turle1.15.0
09/10/2020BugRSS category feed shows deleted topicsUtkrsh1.15.0
12/10/2020BugReset token not invalidated upon account password changeSaiful Islam1.15.0
15/10/2020BugAbility to change specified user profile settings (idor)s1m0x1.15.0
2/11/2020BugNo password length check on /registerHamza Farooqi1.15.0/1.15.1
20/11/2020BugTopic thumb accepts arbitrary user input via composer (should only allow uploaded files)s1m0x1.15.3
09/04/2021XSSXSS in custom flag reason, leads to priv escalation via socket callArtur Matczak1.17.0
11/06/2021OtherSuccessive reset tokens do not invalidate prior generated tokensSammam Raza1.17.2
11/06/2021OtherEmail enumeration in user email edit and registration endpointsSammam Raza1.17.3/1.18.0
11/06/2021BugAccount takeover via Google SSO plugin (via shared link to /auth/callback with valid code)Mar0uane1.17.2
11/06/2021BugReset token remains valid after successful loginSammam Raza1.17.2
12/06/2021Bugv3 users API leaks PII (email)Sammam Raza1.17.2
25/10/2021BugPath traversal bug in translator modulePaul Gerste1.18.5
25/10/2021BugPrototype pollution in uploaderPaul Gerste1.18.5
25/10/2021BugAuth bypass in write api verifyTokenPaul Gerste1.18.5
8/11/2021BugEmail is not cleared from old account when email is validatedVikash Maurya1.19.0
8/11/2021BugEmail enumeration via updateProfile methodVikash Maurya1.19.0
7/1/2022BugLogged-in sessions are not revoked on password resetUddeshaya Srivastava1.19.0
7/3/2022BugMisconfigured image link can cause forum to hangMax Thonagel1.19.4
18/03/2022BugCache-Control headers not provided on user-specific endpointsHz3666Ghost1.19.6
12/04/2022BugDeleted chat message visible in cleanedContent fieldAlexey Leonov1.19.6
25/05/2022Privilege EscalationInsecure Math.random() used to generate password reset tokensEldar Zeynalli1.19.8/2.0.1
28/06/2022BugUnintentional leakage of private user information in users list controllerAshish Sharma2.2.2
20/07/2022BugEmail confirmation tokens not invalidated on password changeUddeshaya Srivastava2.2.5
03/08/2022BugRegression — password challenge removed in email change flowUddeshaya Srivastava2.4.0
02/09/2022Bug"backgroundImage" property on ACP category page not escaping user inputKurt Boberg2.5.1
8/9/2022BugSelf-reflected XSS on composer title field (no security impact)Safwat Refaat2.5.3
9/11/2022BugMissing CSRF token validation on /register/abortRanjeet Kumar Singh (geekboyranjeet)2.5.8
27/11/2022Privilege EscalationPrototype exploit leads to privilege escalationStephen Bradshaw2.6.1
24/12/2022BugImproper handling of post checks allowing for bypass of post limitationsPRAVEENRAJ N2.8.1
30/12/2022BugPrototype exploit leads to privilege escalationMan Pike2.8.1
11/1/2023OtherLeakage of user data prior to full second-factor authenticationMohamed Althaf2.8.2
1/3/2023BugPath traversal and code execution via prototype vulnerability starinfar2.8.7
27/3/2023BugUnhandled exception in socket.io message handler due to improper type checkingNgo Wei Lin (@creastery)2.8.10
27/3/2023BugSuperfluous code in loader.js allowing for halting of loader process on successive child process failuredNgo Wei Lin (@creastery)2.8.10
04/05/2023Privilege EscalationCross-Site WebSocket Hijacking (CSWSH)Elliot W. of Snyk2.8.13/3.1.3
13/6/2023BugImproper neutralization of user input in image wrapping codeGrzegorz Niedziela2.8.15
28/8/2023BugDeleted chat message can be loade via api/v3 end pointJulfikar Hyder, Beetles Cyber Security Ltd.3.4.0
11/9/2023BugtoMid property can be used to read messages sent before joining roomJulfikar Hyder, Beetles Cyber Security Ltd.3.4.2
20/9/2023BugOverly broad 2FA prefix exemption on /api/v3opliko3.4.3/3.5.0
© 2014 – 2023 NodeBB, Inc. — Made in Canada.