Sourcemap sensitive files leaked

Hi we got a HackenProof bounty about our Discourse site. We have upgrade to v3.10.beta3 +155 but didn’t see anything relevant in the release notes that is relevant to the bounty reported to us. Is this something new or not of concern?


The danger is that the attacker obtains the source code and sensitive information , and non-public api


The temporary solution is to delete the .map file in the code directory; The permanent solution is to disable the function of generating map files during build

I think you can refer to this link

I think the answer is that there is no non-public API. It’s documented at GitHub - discourse/discourse: A platform for community discussion. Free, open, simple. and if you don’t know how to read that, you can always Reverse engineer the Discourse API.

I really hate bogus security spam.


I’m not sure they’re all bogus, but more than a few of them seem like they’re trolling for consulting projects. (But Big Eight accounting firms do that, too, and what they’re usually selling you is a pre-paid report which they revise slightly and charge you $20K.)


Thanks for your feedback. I wasn’t sure if this is truly is an issue.

1 Like

Imagine fishing for a consulting project on the basis of warning someone their source code has leaked … and the site is built on one of the most famous open source projects in existence :sweat_smile:


Yeah, but every time one of these things arrives, I get an email from the executive director asking if this is something to worry about, even though I’m officially retired.