Details

Security is serious business, just like Phabricator. If you can find a security vulnerability in the project, we’ll reward you with cold, hard cash. The cash will be transmitted electronically, so it will be cold and hard only figuratively.

READ THIS

IMPORTANT: DO NOT TEST secure.phabricator.com. Do not test an install of Phabricator that you do not own. This includes secure.phabricator.com and any other existing install you might find. If you report an issue against secure.phabricator.com or another install you do not own, it will not be accepted. Instead, install a local copy of Phabricator. This will let you test Phabricator without disrupting other users.
IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY. Do not report configuration issues with phabricator.org, phabricator.com, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the Phabricator software itself.
For instructions on installing a local copy of Phabricator, see the Installation Guide.
We receive many reports (significantly more than 50%) from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word "mongoose" somewhere in your report. If you do not, your report will be closed as "Not Applicable".

The Fine Print

Responsibly disclose a previously unknown vulnerability directly to us.
This vulnerability must significantly compromise the security of a typical Phabricator installation.
Denial of Service and Social Engineering attacks are unlikely to qualify unless particularly clever.
Vulnerabilities in Phabricator and Arcanist are in scope.
Vulnerabilities in other bundled dependencies (in externals/ directories) qualify if they affect a typical Phabricator installation, but are less interesting than vulnerabilities in Phabricator itself.
Report vulnerabilities only if you are comfortable with full disclosure once the report is closed.

Getting Started

You can find the source and start looking for vulnerabilities on GitHub.
Phabricator has more than 300,000 lines of PHP, so there are probably at least sixty or seventy million security vulnerabilities in the project. Virtually limitless wealth!

Response Timeline / End of Life

Effective June 1, 2021: Phabricator is no longer actively maintained. This program is still monitored, but can no longer offer a specific response timeline.

Bounty Range: ~$300 - $3,000, based on severity.

READ THIS

IMPORTANT: DO NOT TEST secure.phabricator.com. Do not test an install of Phabricator that you do not own. This includes secure.phabricator.com and any other existing install you might find. If you report an issue against secure.phabricator.com or another install you do not own, it will not be accepted. Instead, install a local copy of Phabricator. This will let you test Phabricator without disrupting other users.

IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY. Do not report configuration issues with phabricator.org, phabricator.com, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the Phabricator software itself.

For instructions on installing a local copy of Phabricator, see the Installation Guide.

We receive many reports (significantly more than 50%) from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word "mongoose" somewhere in your report. If you do not, your report will be closed as "Not Applicable".

The Fine Print

Responsibly disclose a previously unknown vulnerability directly to us.

This vulnerability must significantly compromise the security of a typical Phabricator installation.

Denial of Service and Social Engineering attacks are unlikely to qualify unless particularly clever.

Vulnerabilities in Phabricator and Arcanist are in scope.

Vulnerabilities in other bundled dependencies (in externals/ directories) qualify if they affect a typical Phabricator installation, but are less interesting than vulnerabilities in Phabricator itself.

Report vulnerabilities only if you are comfortable with full disclosure once the report is closed.