phabricator

Phabricator

Phabricator is a collection of open source web applications that help software companies build better software.

  • $300
    Minimum bounty
  • 6
    Hackers thanked
  • 11
    Bugs closed

Top Hackers

Latest Thanks To

Security is serious business, just like Phabricator. If you can find a security vulnerability in the project, we’ll reward you with cold, hard cash. The cash will be transmitted electronically, so it will be cold and hard only figuratively.

Important: Install A Local Copy

  • Phabricator is free, open source software. Install a copy of Phabricator locally and test against it. Do not test an install that you don't own!
  • For instructions on installing a local copy of Phabricator, see the Installation Guide.

The Fine Print

  • Responsibly disclose a previously unknown vulnerability directly to us.
  • This vulnerability must significantly compromise the security of a typical Phabricator installation.
  • Denial of Service and Social Engineering attacks are unlikely to qualify unless particularly clever.
  • Vulnerabilities in Arcanist, libphutil, and Javelin are in scope.
  • Vulnerabilities in other bundled dependencies (in externals/ directories) qualify if they affect a typical Phabricator installation, but are less interesting than vulnerabilities in Phabricator itself.

Getting Started

  • You can find the source and start looking for vulnerabilities on GitHub.
  • If you want to get in touch with us to ask questions, see Give Feedback! and Get Support!.
  • Phabricator has more than 300,000 lines of PHP, so there are probably at least sixty or seventy million security vulnerabilities in the project. Virtually limitless wealth!

Response Timeline

  • We will respond to reports within 24 hours.
  • We will fix security issues within 24 hours of confirming them.

Bounty Range: ~$300 - $3,000, based on severity.

Now
Phabricator resolved a bug that was submitted by lars.
27 days ago
The Internet Bug Bounty rewarded tomvg with a $300 bounty for a Phabricator bug: Persistent XSS: Editor link.
about 1 month ago
Phabricator resolved Persistent XSS: Editor link that was submitted by tomvg.
about 1 month ago
The Internet Bug Bounty rewarded goldshlager with a $400 bounty for a Phabricator bug: OAuth Stealing Attack (New).
about 1 month ago
Phabricator resolved OAuth Stealing Attack (New) that was submitted by goldshlager.
about 1 month ago
The Internet Bug Bounty rewarded dawidczagan with a $300 bounty for a Phabricator bug: Control character allowed in username.
about 1 month ago
Phabricator resolved Control character allowed in username that was submitted by dawidczagan.
about 1 month ago
The Internet Bug Bounty rewarded goldshlager with a $450 bounty for a Phabricator bug: OAuth access_token stealing in Phabricator.
about 1 month ago
Phabricator resolved OAuth access_token stealing in Phabricator that was submitted by goldshlager.
about 1 month ago
The Internet Bug Bounty rewarded mlitchfield with a $300 bounty for a Phabricator bug: UnAuthorized Editorial Publishing to Blogs.
about 1 month ago
Phabricator resolved UnAuthorized Editorial Publishing to Blogs that was submitted by mlitchfield.
about 1 month ago
The Internet Bug Bounty rewarded mathias with a $300 bounty for a Phabricator bug: Login CSRF using Twitter OAuth.
about 2 months ago
Phabricator resolved Login CSRF using Twitter OAuth that was submitted by mathias.
about 2 months ago
The Internet Bug Bounty rewarded tomvg with a $500 bounty for a Phabricator bug: Bypass auth.email-domains (2).
about 2 months ago
Phabricator resolved Bypass auth.email-domains (2) that was submitted by tomvg.
about 2 months ago
The Internet Bug Bounty rewarded tomvg with a $1,000 bounty for a Phabricator bug: Bypass auth.email-domains.
about 2 months ago
Phabricator resolved Bypass auth.email-domains that was submitted by tomvg.
about 2 months ago
The Internet Bug Bounty rewarded dawidczagan with a $300 bounty for a Phabricator bug: Log in a user to another account.
3 months ago
Phabricator resolved Log in a user to another account that was submitted by dawidczagan.
3 months ago
Phabricator has started using HackerOne.
5 months ago