Hello, We have received a security report from a researcher on our Discourse-hosted instance. I went over it and some of the details are not clear to me, due to my lack of understanding of the platform. I read the security guidelines, and it appears we need to submit it via HackerOne. The issue is…

It’s almost certainly bogus. “Security Spam” is a big problem. But responding to them with “Oh, thanks very much! We’re very happy that you have found this serious issue. Please report it to Hacker One at your earliest convenience to get the money that you so rightly reserve.” is likely how to prove…

Sure - will do. Thanks for confirming.

Hah! I do think the report is legit. I would not have come here otherwise seeking advice. In any case I understand the sentiment, I am the solo-devops person for our all our platforms and it does get annoying with some of these “beg-bounty” hunters. I share your frustration though. Cheers.

In that case, my response is also appropriate. It does seem like anyone clever enough to find a bug in Discourse would also be clever enough to have found about their Hacker One page. If they did actually find a security issue, I’d love to hear about it when it’s resolved!

If you received the report unsolicited, it’s almost certainly spam. I only mention this for other people reading the thread.

Thanks and I get the thing about spam. In this case it is not unsolicited, I read and verified the report submitted to us via our own security policy channels. We have enough sophistication to cut down generic spam. The report appears to be a legit bug (if not a security issue yet, pending investig…

I share @raisedadead ’s experience. In the past years, we and some of our clients have had multiple cases of a security researcher turning to our client or to us with serious security issues that they later reported via HackerOne. Security researchers are not always focused on the platform; sometim…

Security report from third-party researcher

Support

Falco (Falco) October 27, 2025, 1:25pm 2

Try asking the researched to submit it to HackerOne first. Researchers usually prefer that.

Topic		Replies	Views
Security issues from automated scans Support	2	129	October 15, 2024
What is Discourse's policy on penetration testing and reporting security bugs? Site feedback	4	3038	May 19, 2014
How secure is Discourse? Support	11	5873	May 15, 2019
Responsible Disclosure Support	5	1222	October 29, 2018
Greater transparency over severity of security issues Support	2	503	April 2, 2021

Security report from third-party researcher

Related topics