Updates to NodeBB's Bug Bounty Program

Since 2017, we've maintained a bug bounty program that awarded responsible disclosure of security vulnerabilities on a sliding scale of $64 to $512 based on severity.

Throughout the years we've made some unpublished changes to this bounty program, mostly related to the format (no videos, text only, allowed testing endpoints) and in some cases expanding the scope of covered plugins (e.g. 2factor, web-push).

With the rise of LLMs and the corresponding drop in ability needed to analyze and send in reports, we have been receiving a large increase in reports whose submitters have no ability to defend or support their claims, but are happy to pretend that they do. [...]

To be fair, this has been the case ever since the beginning. We've awarded our fair share of bounties to parties running static analysis scripts that output a ton of technical jargon that say very little. The difference today is the scale of these reports is whittling away what little patience I have left.

The easiest thing to do is to cancel the program outright. This would be unfair to the legitimate submitters of security vulnerabilities, and open us up to exploits that we simply would not learn about prior to exploitation. None of that sounds like the direction we want to go. I've gone on the record saying that the one thing OSS devs should set up (if they're able) is a bug bounty program, and I still stand by that claim.

Our bug bounty program remains, with one important change. AI-generated vulnerability reports will be rejected outright out of principle. If you did not do the work, you do not get to take credit for it. The social contract built into this program is, and has always been, a 1:1 exchange of humans talking to humans. Analyzing NodeBB's codebase using Claude (to use an example) and finding vulnerabilities means I should be paying Anthropic the bounty, not the person prompting Claude. If you spent 10 seconds prompting an LLM and I have to spend 20 minutes verifying that your report is not real, the only person's time wasted is my own.

Some use LLMs as a translation tool, and if this is the case, we will make a good-faith effort to take a look, although we are happy to accept reports in your native language.

Some others use LLMs to structure their reports more professionally. Please just speak to us with your own voice. It is vastly preferable.