Security issues

Hi!

We are self hosting Discourse, and as a requirement for our company, we are running code scans. We found a lot of vulnerabilities… hacker one is not the most practical way of reporting each of the issues we found. What do you recommend?

From discourse/docs/SECURITY.md at main · discourse/discourse · GitHub

Where should I report security issues?

In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please use our vulnerability disclosure program at Hacker One to provide details and repro steps and we will respond ASAP. If you are unable to use Hacker One, email us directly at team@discourse.org with details and repro steps. Security issues always take precedence over bug fixes and feature work. We can and do mark releases as “urgent” if they contain serious security fixes.

Please note: Due to a significant number of low quality security reports sent via email, we are unlikely to act on security reports sent to us via email unless they come from a trusted source, and include details on the vulnerability and step by step instructions to reproduce it. Theoretical reports without a proof of concept are not accepted. We strongly recommend you follow the Hacker One submission protocols.

Scans from off the shelf tools produce an absurd amount of false positives, which no one wants to waste time on.

If you found an actual issue, please report via our Hacker One page, which is mostly in place so there is a layer that validates each report and ensure they aren’t invalid.