Server-side request forgery vulnerability

It appears to be that what they’re talking about is our oneboxing functionality.

It’s not a vulnerability; it’s intended behaviour. If a URL is posted to a Discourse forum, an outbound request is done to attempt to retrieve metadata to construct a onebox.

This kind of report appears to be part of a low-effort scan of websites for generic “vulnerabilities” since they are not familiar with how the software they are testing works.

If they do have any findings we encourage them to submit them via our HackerOne program bug bounty program.

If you have any further concerns we’d be happy to address them.

I don’t have any record of messages from this email address but we’ll investigate to see why we didn’t receive it.

7 Likes