Greater transparency over severity of security issues

I believe the discourse team could do a better job at transparency over security issues. The last one only says:

This beta includes 1 security fix for issues reported by our community and HackerOne 8.

  • Prefer Loofah for processing cooked HTML

And I was not able to find said report on HackerOne.

Ideally the release would include a link to the HackerOne report and the severity of the security issue at hand.

1 Like

Hey @core,

The security fix info is intentionally non-detailed. Sites upgrade at different speeds, while we want to share that there was a security fix, we don’t want to provide detail to allow malicious actors to easily exploit it. The security fix is the commit message, so you can always look at our GitHub repo for security commits to see the code changes if you like.

We do not make our HackerOne reports public. While we previously allowed hackers to request disclosure of their reports, due to abuse received after doing so on multiple occasions we discontinued that.

2 Likes