We have received a security report from a researcher on our Discourse-hosted instance. I went over it and some of the details are not clear to me, due to my lack of understanding of the platform.
I read the security guidelines, and it appears we need to submit it via HackerOne. The issue is I can either ask them to report directly, or do it myself (and possibly lose information in translation, given my knowledge gap).
Should I just forward the report to your email instead? In that case, I fear it might not be prioritized (you mention that in the guidelines).
Sorry about these questions, I am just trying to figure out what to do next. Thanks for your guidance, we love what you all do for us!
It’s almost certainly bogus. “Security Spam” is a big problem. But responding to them with “Oh, thanks very much! We’re very happy that you have found this serious issue. Please report it to Hacker One at your earliest convenience to get the money that you so rightly reserve.” is likely how to prove to your superiors that you’re doing your job while also shutting up the spammers.
Hah! I do think the report is legit. I would not have come here otherwise seeking advice.
In any case I understand the sentiment, I am the solo-devops person for our all our platforms and it does get annoying with some of these “beg-bounty” hunters. I share your frustration though.
In this case it is not unsolicited, I read and verified the report submitted to us via our own security policy channels. We have enough sophistication to cut down generic spam. The report appears to be a legit bug (if not a security issue yet, pending investigation).
I do not want people reaching here dismissing every report, especially if they lack complete working knowledge of Discourse internals.
I marked an earlier answer by the staff as the correct way to go about this, that is submit all reports to HackerOne.
In the past years, we and some of our clients have had multiple cases of a security researcher turning to our client or to us with serious security issues that they later reported via HackerOne.
Security researchers are not always focused on the platform; sometimes they’re looking at the network or services tied to a specific company or community. In such a case it feels natural for them to report it to the actual owner of the forum instead of the developers of the software.
An additional complexity is that the security issues could have also been caused by a bespoke plugin or specific configuration.