Reporting Security VulnerabilitiesPhabricator User Documentation (Introduction)
Describes how to report security vulnerabilities in Phabricator.
Phabricator runs a disclosure and award program through HackerOne. This program is the best way to submit security issues to us, and awards responsible disclosure of vulnerabilities with cash bounties. You can find our project page here:
The project page has detailed information about the scope of the program and how to participate.
We have a 24 hour response timeline, and are usually able to respond to (and, very often, fix) issues more quickly than that.
If you aren't sure if something qualifies or don't want to report via HackerOne, you can submit the issue as a normal bug report. For instructions, see Contributing Bug Reports.
General information about security changes is reported weekly in the Changelog.