Skip to content
  • Home
  • Categories
  • Recent
  • Popular
  • World
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo
v3.10.3 Latest
Buy Hosting
  1. Home
  2. NodeBB Development
  3. Security Vulnerability Notifications

Security Vulnerability Notifications

Scheduled Pinned Locked Moved NodeBB Development
security
2 Posts 1 Posters 1.2k Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • julianJ Offline
    julianJ Offline
    julian NodeBB GNU/Linux
    wrote on last edited by
    #1

    Hello all,

    tl;dr → tag; rss; ntfy; email; github (high/crit only)

    Prior to today we did not have a codified process for delivering security announcements and disclosing vulnerabilities to interested parties. Sometimes it was posted in the forum (in different categories), sometimes it was posted on our GitHub repo advisories, and sometimes it was just lumped into the changelog (especially for low priority fixes).

    Due to this variability, the only way to really be aware of a security vulnerability would be to actively check multiple places: this forum, our advisory list on GitHub, read through the changelog, etc. — none of which is feasible nor should be expected of you!

    Here is what has changed

    1. In the past month, you may have noticed that we started publishing disclosures using the security tag. This will be the official tag used by the NodeBB team, and its usage is restricted so only staff can use it.

    2. NodeBB also supplies an RSS feed for tags, so you can also add it to your favourite RSS reader!

    3. Additionally, new topics using the security tag will automatically send a notification via ntfy.sh via a unique topic name separate from your own: nodebb-security-announce. You can access this link via the web app or via the ntfy.sh app on Android or iPhone to subscribe to it.

    4. At the same time as the notification is sent out, an email will also be sent out to the nodebb-security-announce mailing list.

    5. Lastly, high and critical impact vulnerabilities will continue to be posted to our GitHub repo's Security Avisories page, which will also create a CVE for the disclosure.

    We wanted to come up with a solution that was simple-to-use (for us), and contained a central point of reference. We also wanted to be able to broadcast these notifications out via as many channels as possible. The security tag will remain as the canonical source for all security notifications.

    Please let us know if you have any questions or concerns about this system.

    1 Reply Last reply
    4
    • julianJ Offline
      julianJ Offline
      julian NodeBB GNU/Linux
      wrote on last edited by
      #2

      Additionally, a note about how our disclosures are reported.

      As outlined in our security policy, we maintain a bug bounty program. We use this as a central point of contact for reported vulnerabilities so that they do not get unintentionally exposed for exploit, and to keep better track of them over time.

      👉 BUG BOUNTY HOMEPAGE/RULES

      Included in that bug bounty page is a Hall of Fame, a list of users who have claimed credit for discovering bugs. It also provides a rough history of awarded bounties and vulnerabilities as well.

      1 Reply Last reply
      1

      Copyright © 2024 NodeBB | Contributors
      • Login
      • Don't have an account? Register
      • Login or register to search.
      Powered by NodeBB Contributors
      • First post
        Last post
      0
      • Home
      • Categories
      • Recent
      • Popular
      • World
      • Top
      • Tags
      • Users
      • Groups
      • Documentation
        • Home
        • Read API
        • Write API
        • Plugin Development