CodeIgniter | Security Program

Details

CodeIgniter security research

CodeIgniter is a powerful open-source PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.

CodeIgniter recognizes the important contributions that the security community currently makes and can make in the future. We want to make sure that we find any security issues in our open-source project, so we can fix them as soon as possible! If you find vulnerabilities in our framework, we’ll be glad to hear about it here on HackerOne or in our security mailbox at [email protected].

In scope

We are interested in all (security-related) bugs in our framework. The source code of CodeIgniter can be found on GitHub at https://github.com/bcit-ci/CodeIgniter.

Security-related bugs about our website at codeigniter.com are also welcome, but our main priority is our framework since it’s used by thousands of developers around the world who depend on it. If you decide to research our website, please do not use automated scanners and read the "out of scope" section carefully!

Out of scope

The CodeIgniter 2.x version tree is discontinued since October 31st, 2015.

Our sub-domain forum.codeigniter.com is out of scope due to many reports. If you did find vulnerabilities in the forum software anyway, we recommend to contact MyBB at https://www.mybb.com/get-involved/security/.

Furthermore, we are aware of the (missing) HTTP headers regarding security and caching, and their features. As well as similar features or settings regarding mail like SPF, DMARC and DKIM. Reports about this (even on in-scope domains) will be closed with N/A status.

Reporting

A good report consists of:

a detailed explanation of the bug or vulnerability and the security risk and impact;
all relevant information about the used components e.g. classes, functions, parameters;
in case of cross-site scripting, the used browser version;
(optionally) a working proof-of-concept;

Rewards

Unfortunately, we cannot offer any financial rewards, as CodeIgniter is a community-maintained project with practically no funding. But, we hope that public credit and the feeling of having done well may be gratifying.

Help our framework and score a “thanks” and new reputation points on HackerOne. If you find impressive vulnerabilities, we’d be happy to credit you in our changelog.

Regards, The CodeIgniter team