Security Research

While MyBB is designed with security in mind, the possibility of security issues being introduced is ever a problem. Learn how to responsibly disclose any vulnerabilities you may find. Researchers may be eligible for a place in our Security Hall of Fame.

Introduction

An insight in to the program

At MyBB, we take security as the highest priority. Both ourselves and our users need to trust that the software they're using is secure and will remain secure throughout the years. We've encountered vulnerabilities which have been disclosed to us by members of the community and encountered some which have been spread around the web. The latter is something which we want to avoid to protect our users and make understanding the issue easier. For those who responsibly disclose vulnerabilities within the MyBB software, we have a Security Hall of Fame for bragging rights.

The Rules

How to be eligible

To be eligible for a place in the Security Hall of Fame you must follow a set of rules:

  • Don't attempt to exploit any MyBB forum without the expressed permission of the owner. If possible, use a local copy of MyBB to confirm whether the vulnerability exists or not.
  • Under no circumstances should you try to exploit the MyBB Community Forums or any other resource owned by the MyBB Group.
  • Don't publicly disclose the vulnerability before it has been fixed.
  • The software in question is limited to the MyBB Forum Software. Vulnerabilities within third party MyBB plugins do not count.
  • The vulnerability must be a technical vulnerability. Social engineering or phishing attacks do not count.
  • Bugs which introduce PHP warnings or SQL errors (that aren't due to SQL injection) do not count.
  • Only the person who discovered the vulnerability is eligible.
  • Spam attacks (Bypassing captchas for instance) do not count.
  • The vulnerability must be present in the latest stable release of MyBB. Vulnerabilities within development releases or older versions do not count.

Reporting

How to report a vulnerability

If you have discovered a potential vulnerability or security risk, we encourage you to responsibly disclose it to us via the Private Inquiries forum. Even if you do not meet the requirements to be eligible for a place in our hall of fame, please do not hesitate to report it anyway. The more details you provide and the better you can explain the issue, the faster we can release a patch and keep our users safe. Please wait up to 24 hours for a response. We're all volenteers and it may take a while to understand the issue and to look in to it.

Third Party Content

How to handle third party software

While only vulnerabilities you find within the MyBB forum software make you eligible for a place in the hall of fame, we do encourage you to report any vulnerabilities you may find within third party content to the authors. Our aim is to keep our users safe and plugins play a major role in introducing security issues.