HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

HackerOne campaign has begun in invite-only mode [update: public now]

LincLinc Detroit Admin

Hi all,

As of yesterday, we've privately launched on HackerOne as part of our ongoing plans to improve Vanilla's security and invest in that part of our workflow. HackerOne is a third-party service for managing security reports and encouraging hackers to participate in the security evaluation of our software and websites in exchange for cash bounties. We've been making preparations to launch this campaign since this past winter. Our campaign is currently in invite-only mode while we get started. We hope to progress to a public campaign in a few months.

I am bringing this to the community's attention for two reasons. First, if we have open source contributors interested in being invited to our campaign, you can contact me to be added. Please create a HackerOne account before doing this. Second, you may see an increase in folks attempting to find vulnerabilities in this site. While we have asked that hackers please not disrupt the community, I'm sure some will do so any way. That content can be deleted and the user accounts banned (for moderators reading this).

Vanilla has been conducting several rounds of security testing over the last few years, so we're confident in our ability to hold up under closer scrutiny and welcome the additional attention our campaign will naturally bring. We'll have further announcements and information about the campaign after it goes public.



  • LincLinc Detroit Admin

    This program is now public and available at: https://hackerone.com/vanilla

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP


    Just a quick question re: moderation.

    If we spot users attempting code injection etc., do we leave them?

    If Akismet holds up such posts, should we let them on to the board?

  • LincLinc Detroit Admin

    I'd just delete those posts. They're not supposed to be targeting live sites at all according to the terms.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    Will do!

  • Hi @Linc

    I have submitted an Urgent report on H1 could you take a look at it ?


  • LincLinc Detroit Admin
    edited March 2018

    Please do not ping me on the forum to look at the HackerOne campaign. We have a team monitoring that account and just me on my forum account. I don't scale, and I'm way slower. I'm sure someone was already evaluating it. Thank you for reporting.

Sign In or Register to comment.