What is Discourse's policy on penetration testing and reporting security bugs?

Security vulnerabilities in IT systems and applications are becoming more and more of a hot topic these days. Different organizations have different policies regarding the acceptance of volunteer penetration testers’ efforts, and the submission of security vulnerability data.

While I personally do not have immediate plans to go hunting for weaknesses in the Discourse platform, I think the following questions should be answered for anyone who may.

• How does CDCK, Inc. feel about “white hat” penetration testers actively looking for vulnerabilities in the Discourse application or on servers at try.discourse.org?
• How should security vulnerabilities, whether discovered deliberately or incidentally, be reported - should they be posted to Meta.Discourse, or sent to a specific e-mail address?

Fine, test away!

Email anything you find to team@discourse.org – I realized we don’t actually print this email anywhere on our website proper… oops. Will fix.

At the opposite end of reporting - notifying those who’ve got Discourse running - will you set up either a “security-announce” mailing list, and/or RSS feed?

You can just follow @discourse on Twitter, anything of significance will be posted there.

There is also security.md in the /docs folder of the project, which documents related security stuff.