Security is serious business, just like Phabricator. If you can find a security vulnerability in the project, we’ll reward you with cold, hard cash. The cash will be transmitted electronically, so it will be cold and hard only figuratively.
- IMPORTANT: DO NOT TEST
secure.phabricator.com. Do not test an install of Phabricator that you do not own. This includes
secure.phabricator.comand any other existing install you might find. If you report an issue against
secure.phabricator.comor another install you do not own, it will not be accepted. Instead, install a local copy of Phabricator. This will let you test Phabricator without disrupting other users.
- IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY. Do not report configuration issues with
phabricator.com, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the Phabricator software itself.
- For instructions on installing a local copy of Phabricator, see the Installation Guide.
- We receive many reports (significantly more than 50%) from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word "mongoose" somewhere in your report. If you do not, your report will be closed as invalid.
The Fine Print
- Responsibly disclose a previously unknown vulnerability directly to us.
- This vulnerability must significantly compromise the security of a typical Phabricator installation.
- Denial of Service and Social Engineering attacks are unlikely to qualify unless particularly clever.
- Vulnerabilities in Arcanist, libphutil, and Javelin are in scope.
- Vulnerabilities in other bundled dependencies (in
externals/directories) qualify if they affect a typical Phabricator installation, but are less interesting than vulnerabilities in Phabricator itself.
- You can find the source and start looking for vulnerabilities on GitHub.
- Phabricator has more than 300,000 lines of PHP, so there are probably at least sixty or seventy million security vulnerabilities in the project. Virtually limitless wealth!
- We will respond to reports within 24 hours.
- We will fix security issues within 24 hours of confirming them.
Bounty Range: ~$300 - $3,000, based on severity.