Best Of
Our HackerOne campaign & how it affects security at Vanilla
Hi all, I wanted to give you an update on the state of security practices at Vanilla, especially as it relates to HackerOne and our open source patch releases. I'll start with some background info, update you on the latest news, and then do a brief question & answer.
HackerOne background
HackerOne is a security bug bounty platform, which means it's a place for hackers to report discovered security issues in exchange for money, rather than using them maliciously. We launched our campaign there over a year ago and overall it's been very successful. Our rationale for doing so was that our open source users overlap very little with security researchers and therefore we receive little security scrutiny naturally. We decided it was in the best interest of both the company and the community to invest in more experienced folks investigating our software for problems.
In short, it's a very tangible way to prioritize security and invest in it, so we did so.
We've had an uptick in security releases since the program started, and moreso in the last few months. We expect to do more security releases before the end of the year. Basically: the program is working and our code base is being scrutinized more than it's ever been, so we're shipping patches as fast as we're able.
Some current metrics:
- We've awarded over $34,000 in bounties.
- In total, we've now evaluated 600 reports.
- Among them, we identified 139 legitimate reports from 73 different hackers.
- We average 1 day to ticket response, 6 days to triage, and 1 month to resolution.
"Resolution" for us means shipping an approved patch to both cloud and open source (all supported versions).
In the month of September we saw an abnormal surge in activity (more than 3x our normal level of legitimate reports) which caused some minor delays in delivering all patches.
Latest news
Yesterday, our company was blackmailed on Twitter regarding the open source release of a security patch. (Cloud customers were not affected by this threat; they were previously patched.) This was done by one of the HackerOne security researchers ("hackers") participating in our program (thus breaking the terms of service on HackerOne) who also made several accusations about our security practices. I will indirectly address some of those via question and answer below. We had awarded the hacker $3,000 in bounties, including $900 for the security patch in question prior to the blackmail.
The issue was submitted on Sept 18. 20 days ago, the hacker asked for an additional status update on the open ticket. We had previously explained the cause of delay (trying to bundle multiple security patches into 1 release to reduce the need for OSS updates) so we did not reply this time. 5 days ago, they asked again for an update and minutes later publicly messaged me a passive aggressive inquiry to my personal Twitter account (not the company's). We have escalation points listed in our campaign, we have a public company Twitter account, and my personal account is not tied to HackerOne in any way. I viewed this as an implicit threat and immediately blocked the user and ceased engaging over HackerOne. In retrospect, I should have passed on the HackerOne ticket to a colleague.
Yesterday, they included our company account on threats to 0-day our open source community (release details on an exploit for which no patch has been released) on Monday morning if the situation wasn't rectified to their liking. I am still unclear whether that happened. I later unblocked and engaged with them on Twitter to address some of the accusations made.
The direct consequence was a rushed late Sunday night release of Vanilla 2.6.4. In our haste, we accidentally included a config.php in the initial release that caused problems for some users. This was fixed by 8:20am ET this morning (thank you to Softaculous, @pioc34, and Twitter user console for quickly pointing out my mistake). We apologize for the oversight. We have fixed our tools to prevent a repeat.
You may recall the 2.6.1 release was similarly rushed. This was a process error on our part, not malicious activity. We accidentally agreed to disclosure of a security vulnerability that had not been patched in the 2.6 release. We've altered our process to prevent a repeat of that incident.
There's a lot of communication overhead to dealing with a HackerOne campaign in a growing company. We're learning quickly and adapting, and we apologize for the missteps we make along the way.
Question & Answer
How does Vanilla organize security releases?
We have a 5-day SLA on patching Critical exploits (usually we patch in 1 day). We backport all 'Critical' and 'High' severity patches to the latest stable releases of Vanilla. We patch cloud before open source. For Critical issues, this is usually a delay of minutes. For High issues, it may be delayed to open source by days or weeks to roll together multiple patches if they will soon be available. (We optionally backport 'Medium' severity patches at our discretion and do not backport 'Low'.)
Why does Vanilla sometimes hold security patches before releasing to open source?
The terms of our HackerOne campaign forbid disclosure until the report is resolved. We may hold a patch to group with additional patches in a single release if we have other similar severity reports open. We do this to avoid "update fatigue", where users start skipping updates if they are issued too frequently. We do not hold 'Critical' severity reports; they are always released immediately.
Why doesn't Vanilla issue CVE identifiers for reports?
Neither our customers nor open source community have requested this. It would require more time and steps to our workflow to accommodate this. In general, the only folks who have requested this are hackers seeking recognition. We previously provided public recognition in our release notes on this forum. We now provide it via HackerOne report disclosure. We do not contest the disclosure of resolved issues on HackerOne.
Why doesn't Vanilla make more explicit commit messages when patching security issues?
Sometimes we make commit messages that are either vague or technically accurate but not entirely forthcoming. We do this in the interest of not raising attention to an issue before we can finish the open source release process. Because our core software is entirely open source, a careful observer could gain awareness of a vulnerability and figure out how to abuse it before anyone has the option to update. Basically, we're buying you as much time as we can by not detailing every exploit and drawing attention to them. We understand some hackers take issue with this. We are more interested in protecting our users.
Why doesn't Vanilla have an automatic updater?
This is a huge feature fraught with its own security implications. We would support an open source effort to add this functionality to Vanilla, but we're not able to dedicate the resources necessary to it at this time so it seems very unlikely at this time. It remains the responsibility of each forum administrator to monitor our accounts for updates and do them in a timely manner. We use all available channels to communicate new releases when they are available (social media, email, and in-Dashboard feed). Before anyone says "but WordPress did it," kindly recall they are 1000x our size.
Thanks for reading and let us know if you have questions or suggestions in the comments.
Linc
Vanilla 2023.001 Open Source Release - PHP 8 Works! (Built From Source)
Hi All,
Woke up to the notification of the new 2023.001 Open Source release this morning.
Built it from source and am happy to report that most of the issues encountered in previous builds now all appear to be fixed from what I can see so far.
PHP 8 now properly works without any of my previous workarounds - Tested on PHP 8.1.12 and the absolute latest PHP 8.2.1! All works as far as I can see! 😁
The Admin Dashboard CSS display error that's plagued pretty much every release since 2021.012 is also sorted out now.
The blank "User Profile" page from the previous 2022.025 release is now working.
Have attached the built release for you all to enjoy!
Vanilla 2022.024 Open Source Release - Built From Source + Broken Admin Dashboard FIXED!
Merry Christmas all! :)
Here is the latest available Vanilla release (2022.024) built from source code, with the broken / blank Dashboard issue from some of the most current releases also fixed up. ☺️
Note: While I messed about and managed to get 2021.009 working on PHP 8, I have not had success with that yet for 2022.024, so this build will require PHP 7.4 still - but hey I figure that this is still an improvement on the last 2021.009 release!
TIP: Head over to the "Labs" page in Settings (/settings/labs) and enable the new Layout Editor, then go to the Appearance tab to customize the site layout :D
Ready to move to Flarum? I might be able to help
A couple weeks ago I did the first full community migration from Vanilla to Flarum. I'm willing to do a few more for free to work out further issues with the forum migration software I'm building.
Criteria:
- non-commercial community
- less than 5 million posts
- no hate speech on site
- timeline is 1-3 months (estimate only, depends on my weekend availability)
Caveats:
I'm not currently able to provide troubleshooting assistance for setting up a new Flarum site. You will need to set it up ahead of time with the appropriate plugins (I will provide a list of standard extensions to use if you want things like badges or private messages to transfer).
You will be responsible for moving files (uploads and avatars) separately. I'll provide instructions for that as well.
You will also be responsible for any redirects you wish to set up. Happy to provide advice from what I know, but that's not something I'm willing to set up for you today.
Workflow:
- You do a SQL export, zip it, and send me a link via a file service like Dropbox.
- We'll discuss how to handle special edge cases in your forum and I'll iterate on it for a bit.
- I'll provide 1 test SQL export for you to evaluate and provide feedback on issues you find.
- I will fix issues I'm willing and able to, then we'll pick a day for the final migration.
- Expect a full day of downtime. When ready, put your site into maintenance mode and send the final SQL export the same way. I'll return the finish product the same way.
I will provide a UTF-8 export regardless of what you initially provide. It's important you FORCE the test & final import to use UTF-8 encoding rather than letting the database tool detect and set it itself.
Security:
I'm willing to sign a very, very narrow NDA about data privacy if you require it. However, also note I have far more data security experience than most folks running forums (I drove application-level security efforts at Vanilla Forums Inc for most of its existence), so rest assured your data will only exist on encrypted drives and/or behind 2-factor authentication on my side, and I have no interest in it beyond improving & testing the migration software. The only time it's exposed is while we're transmitting it to each other via Dropbox link. Do not upload a data export to this site.
Interested? Fill out this form: https://forms.gle/rdB1SmgGNPMU6rML6
Private messages on this site are fine, or email me ( linc at icrontic.com ) with questions. Also happy to answer questions about DIY migrations or otherwise talk shop about communities.
Linc
Re: Where do we go now ?
I've gone ahead and built a release from the available sources released 4 days ago(!) hidden in the GitHub branches: https://github.com/vanilla/vanilla/tree/release/2022.021
These releases have been tagged but have not included a built package for some time. I will be testing this for PHP8 compatibility tomorrow.
Re: Where do we go now ?
While it's long tempted me to continue Vanilla, there's a difficult challenge. If you do a "community edition", you have no input on the roadmap. You're just a silent steward tied to whatever the company decides. I agree there's no reasonable hope for collaboration with them at this point. If you do a fork, now you're signing up for a world of maintenance, and you'd have to rebuild the open source developer community to about 2x its highest point to make that sustainable. Having a bespoke framework underpinning the whole thing is a very large maintenance liability and it hasn't kept pace with development trends.
Flarum has a strong development community and has more than adequate feature parity, imo. It's more challenging to install & update for non-developers, but they're working on that with reasonable priority. My biggest quibble with it is the Javascript-heavy UI, but I have plans to address that and most other folks don't share my concern. My preferred path forward for building community software is do it downstream from Flarum, using it as a dependency to make my own system, rather than building something from scratch again.
I just spent a year of my free time building a migration tool from Vanilla to Flarum, so I feel pretty strongly about it. For more info on moving to Flarum if that's your choice, see here: https://open.vanillaforums.com/discussion/39195/ready-to-move-to-flarum-i-might-be-able-to-help#latest
I built that tool with the ability to do different output/target plugins for other platforms, so it's fully extensible. That said, making target plugins is more challenging than source plugins because of the peculiarities of each new platform.
It's sad to say as I was using it since 2012
I just hit the 13th anniversary of my first code contribution to Vanilla this month. A bittersweet reminder these days, indeed. I really thought it could become the ubiquitous community software of the web, but the writing's been on the wall a long, long time now.
Linc
Re: Vanilla version 2021.009 is the latest stable release as of now
I tried 2021.025 on my forum in production (i'm silly).
I updated my 2021.012 version and i had only a php warning.
version.json file is missing in root directory, so the assets in source code of each page look like
<script src="/discussions/js/library/jquery.js?v=unknown" static="1" defer="defer"></script>
and in the dashboard bottom right, i had version: unknown
Forum works fine but i want to correct this, so, I upload on my website a version.json file with this (found in the vanilla github repo, i changed only 2022.006 to 2021.025)
{
"x-version-scheme": "{Release version}-{? SNAPSHOT if it's a dev build}",
"version": "2021.025"
}
now everythings seems ok. I will check my logs to see if i have others errors.
I tried to pass to PHP8 but had a 500 error. I have to check what is failing.
Thank you @R_J and others for your work for this community
pioc34
Vanilla version 2021.009 is the latest stable release as of now
Please ignore all the buggy releases after Vanilla 2021.009.
It's important to note the difference between "release" and "version" here: while you might be able to build a completely fine running forum from the sources on GitHub if you are a developer, there hasn't been any release which wasn't usable out of the box since release 2021.009.
I've compiled a 2021.025 version and if you like to give that a try and report your experiences back, we might recommend that until a new release will be published officially.
R_J
Re: Vanilla version 2021.009 is the latest stable release as of now
I don't believe you'll ever see another pre-built copy of Vanilla distributed by the company. I'd love to be wrong, I just don't see it happening, knowing what I do about internal politics there.
I do expect to continue seeing automated unbuilt "releases" like you see on GitHub currently, because those are serving some of their enterprise customers via the Docker installation.
I'm willing to answer questions for any senior members here that want to build, vet, and update the latest version in the addon directory. Unfortunately I'm not willing to lead that process myself any longer. I kept those releases going by my own force of will for more than 5 years and I'm tapped out.
Linc
Re: Vanilla 2021.012 is now available
There are plans for getting on a more consistent release cadence. I'm hoping to have an announcement on this tomorrow.
Appreciate everyone's patience!
Andrew