Discourse

We welcome review of our 100% open source code, and our public instance at https://try.discourse.org, to ensure the safety and security of Discourse forums across the world.

Temporary Bounty Suspension

As of February 9, 2026, in the wake of Codex 5.3 and Opus 4.6 Discourse has suspended bounties while we process our backlog. We expect to resume offering bounties in 60 days. We encourage reports to be submitted during this pause, and reserve the right to issue bounties for exceptional reports during the pause.

Code of Conduct

Only test against https://try.discourse.org. Reports of issues against other URLs are likely to be closed as ineligible.

Throughout your research, you must make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

We also ask that you refrain from:

• Denial of service attacks
• Spamming
• Social engineering (including phishing) of Discourse staff or contractors
• Any physical attempts against Discourse property or data centers

Disclosure

As an Open Source project, we will make security fixes public as soon as reasonably possible, and aim to publish advisories and/or CVEs for severe issues. We are generally happy to credit researchers in these announcements.

You must wait 90 days after the fix is released before publicly disclosing any information about the vulnerability, your research methods, or how it may be exploited.

Severity

We use a number of factors to determine the severity of an issue. These include:

• The number of sites/users that are likely to be vulnerable
• The impact to the affected system's confidentiality, integrity, and availability
• The conditions required for the exploit to be successful
• The access level required in order to exploit

The severity will be decided at the sole discretion of the Discourse team. As a guide, here are some examples of vulnerabilities which may fall into each category:

Low ($256)

• Perform a trivial action which should not be permitted

Medium ($512)

• CSRF which causes a user to perform an operation they didn't explicitly consent to
• Stored XSS which is mitigated by Discourse's default CSP
• Access to metadata about private topic/post content
• Partial denial-of-service via a trivial request (e.g. cache poisoning)

High ($1024)

• Stored XSS which is not mitigated by Discourse's default CSP
• SSRF to an internal IP address
• Access to private topic/post content
• Full denial-of-service via a trivial request (e.g. cache poisoning)

Critical ($2048+)

• Privilege escalation to admin
• Unrestricted access to the database (e.g. via backups)
• Remote code execution
• Accessing data relating to another site in a multi-tenant environment

Ineligible vulnerability types

See scope exclusions.

Thank you for helping keep Discourse and our users safe!