HackerOne campaign has begun in invite-only mode [update: public now]
As of yesterday, we've privately launched on HackerOne as part of our ongoing plans to improve Vanilla's security and invest in that part of our workflow. HackerOne is a third-party service for managing security reports and encouraging hackers to participate in the security evaluation of our software and websites in exchange for cash bounties. We've been making preparations to launch this campaign since this past winter. Our campaign is currently in invite-only mode while we get started. We hope to progress to a public campaign in a few months.
I am bringing this to the community's attention for two reasons. First, if we have open source contributors interested in being invited to our campaign, you can contact me to be added. Please create a HackerOne account before doing this. Second, you may see an increase in folks attempting to find vulnerabilities in this site. While we have asked that hackers please not disrupt the community, I'm sure some will do so any way. That content can be deleted and the user accounts banned (for moderators reading this).
Vanilla has been conducting several rounds of security testing over the last few years, so we're confident in our ability to hold up under closer scrutiny and welcome the additional attention our campaign will naturally bring. We'll have further announcements and information about the campaign after it goes public.