Security Vulnerability Notifications
Prior to today we did not have a codified process for delivering security announcements and disclosing vulnerabilities to interested parties. Sometimes it was posted in the forum (in different categories), sometimes it was posted on our GitHub repo advisories, and sometimes it was just lumped into the changelog (especially for low priority fixes).
Due to this variability, the only way to really be aware of a security vulnerability would be to actively check multiple places: this forum, our advisory list on GitHub, read through the changelog, etc. — none of which is feasible nor should be expected of you!
Here is what has changed
In the past month, you may have noticed that we started publishing disclosures using the
securitytag. This will be the official tag used by the NodeBB team, and its usage is restricted so only staff can use it.
NodeBB also supplies an RSS feed for tags, so you can also add it to your favourite RSS reader!
Additionally, new topics using the
securitytag will automatically send a notification via ntfy.sh via a unique topic name separate from your own: nodebb-security-announce. You can access this link via the web app or via the ntfy.sh app on Android or iPhone to subscribe to it.
At the same time as the notification is sent out, an email will also be sent out to the nodebb-security-announce mailing list.
Lastly, high and critical impact vulnerabilities will continue to be posted to our GitHub repo's Security Avisories page, which will also create a CVE for the disclosure.
We wanted to come up with a solution that was simple-to-use (for us), and contained a central point of reference. We also wanted to be able to broadcast these notifications out via as many channels as possible. The
securitytag will remain as the canonical source for all security notifications.
Please let us know if you have any questions or concerns about this system.
Additionally, a note about how our disclosures are reported.
As outlined in our security policy, we maintain a bug bounty program. We use this as a central point of contact for reported vulnerabilities so that they do not get unintentionally exposed for exploit, and to keep better track of them over time.
Included in that bug bounty page is a Hall of Fame, a list of users who have claimed credit for discovering bugs. It also provides a rough history of awarded bounties and vulnerabilities as well.