TL;DR. NodeBB is secure enough practically.
In theory, NodeBB has some security weakness.
- Lack of captcha support
This is the only real security concern (I hate the captcha).
Oops, I had an outdated information.
nodebb-plugin-spam-be-gone (https://github.com/akhoury/nodebb-plugin-spam-be-gone) supports Google recaptcha.
NodeBB supports Redis, MongoDB and LevelDB.
These DBMS don't support authentication in the default configuration.
But, you can change the config, and NodeBB warns you when your DBMS doesn't support authentication.
Public readable src directory
$NODEBB_HOME/public/src directory are readable by any web users. (for example. https://community.nodebb.org/src/variables.js)
If you block this directory access, NodeBB doesn't work.
IMO, This is not a security vulnerability.
But, you can know whether your target is using NodeBB forum with ease and some security professionals would insist that this is the security vulnerability.
Transport layer security
This is not the responsibility of NodeBB developers. it is yours. use SSL whenever possible.
Upgrade Node.js to v0.8.27 or v0.10.29. (http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/)
There is no known security vulnerability now.
(I didn't perform the manual source code security audit or the automatic vulnerability assessment.)
p.s. If you find the security vulnerability of NodeBB, please notify to Julian Lam @julian and the community.