Page MenuHomePhabricator
Diviner Phabricator User Docs Reporting Security Vulnerabilities

Reporting Security Vulnerabilities
Phabricator User Documentation (Introduction)

Describes how to report security vulnerabilities in Phabricator.

Overview

Phabricator runs a disclosure and award program through HackerOne. This program is the best way to submit security issues to us, and awards responsible disclosure of vulnerabilities with cash bounties. You can find our project page here:

The project page has detailed information about the scope of the program and how to participate.

We have a 24 hour response timeline, and are usually able to respond to (and, very often, fix) issues more quickly than that.

Other Channels

If you aren't sure if something qualifies or don't want to report via HackerOne, you can submit the issue as a normal bug report. For instructions, see Contributing Bug Reports.

Get Updated

General information about security changes is reported weekly in the Changelog.