Security is serious business, just like Phabricator. If you can find a security vulnerability in the project, we’ll reward you with cold, hard cash. The cash will be transmitted electronically, so it will be cold and hard only figuratively.
Important: Install A Local Copy
- Phabricator is free, open source software. Install a copy of Phabricator locally and test against it. Do not test an install that you don't own!
- For instructions on installing a local copy of Phabricator, see the Installation Guide.
The Fine Print
- Responsibly disclose a previously unknown vulnerability directly to us.
- This vulnerability must significantly compromise the security of a typical Phabricator installation.
- Denial of Service and Social Engineering attacks are unlikely to qualify unless particularly clever.
- Vulnerabilities in Arcanist, libphutil, and Javelin are in scope.
- Vulnerabilities in other bundled dependencies (in
externals/directories) qualify if they affect a typical Phabricator installation, but are less interesting than vulnerabilities in Phabricator itself.
- You can find the source and start looking for vulnerabilities on GitHub.
- If you want to get in touch with us to ask questions, see Give Feedback! and Get Support!.
- Phabricator has more than 300,000 lines of PHP, so there are probably at least sixty or seventy million security vulnerabilities in the project. Virtually limitless wealth!
- We will respond to reports within 24 hours.
- We will fix security issues within 24 hours of confirming them.
Bounty Range: ~$300 - $3,000, based on severity.