Security Research

While FluxBB is designed with security in mind, the possibility of security issues being introduced is ever a problem. Learn how to responsibly disclose any vulnerabilities you may find. Researchers may be eligible for a place in our Security Hall of Fame.

Introduction An insight in to the program

At FluxBB, we take security as the highest priority. Both ourselves and our users need to trust that the software they're using is secure and will remain secure throughout the years. We've encountered vulnerabilities which have been disclosed to us by members of the community and encountered some which have been spread around the web. The latter is something which we want to avoid to protect our users and make understanding the issue easier. For those who responsibly disclose vulnerabilities within the FluxBB software, we have a Security Hall of Fame for bragging rights.

The Rules How to be eligible

To be eligible for a place in the Security Hall of Fame you must follow a set of rules:

  • Don't attempt to exploit any FluxBB forum without the expressed permission of the owner. If possible, use a local copy of FluxBB to confirm whether the vulnerability exists or not.
  • Under no circumstances should you try to exploit the FluxBB Community Forums or any other resource owned by the FluxBB Group.
  • Don't publicly disclose the vulnerability before it has been fixed.
  • The software in question is limited to the FluxBB Forum Software. Vulnerabilities within third party FluxBB plugins do not count.
  • The vulnerability must be a technical vulnerability. Social engineering or phishing attacks do not count.
  • Bugs which introduce PHP warnings or SQL errors (that aren't due to SQL injection) do not count.
  • Only the person who discovered the vulnerability is eligible.
  • Spam attacks (Bypassing captchas for instance) do not count.
  • The vulnerability must be present in the latest stable release of FluxBB. Vulnerabilities within development releases or older versions do not count.

Reporting How to report a vulnerability

If you have discovered a potential vulnerability or security risk, we encourage you to responsibly disclose it to us via the Private Inquiries forum. Even if you do not meet the requirements to be eligible for a place in our hall of fame, please do not hesitate to report it anyway. The more details you provide and the better you can explain the issue, the faster we can release a patch and keep our users safe. Please wait up to 24 hours for a response. We're all volunteers and it may take a while to understand the issue and to look in to it.

Third Party Content How to handle third party software

While only vulnerabilities you find within the FluxBB forum software make you eligible for a place in the hall of fame, we do encourage you to report any vulnerabilities you may find within third party content to the authors. Our aim is to keep our users safe and plugins play a major role in introducing security issues.

Get Involved