I have found a potentially concerning issue with the Terms Of Service Page on all discourse installs (including
The ToS section 7. Content Posted on Other Websites contains links to
non-currentdomain.tld These links are clickable because they are parsed just like any other post.
This allows for domain-squatting unregistered
non-currentdomain.tld in some cases. A good example of this is
As a proof of point, I have registered non-openwrt.org.
You can see my “detailed” write-up here: ComputeCode - Non-OpenWrt
I did not see this bug as worthy of a security bounty. But if you would like this submitted as one please let me know.