At MyBB, maintaining secure software is one of our strategic priorities. We and our users need to trust that our software is secure, and will remain secure throughout the years. To stay ahead of potential threats, we conduct in-house audits, coordinate closely with external researchers, and promote security resources and insights, before any problems can be used to cause harm.

We cooperate with security contributors on triage, resolution, analysis, public disclosure, and promotion of relevant publications.

With consent, authors of confirmed vulnerability reports are credited publicly in:

• the Release Notes of corresponding releases,
• the Release Blog Posts of corresponding releases,
• the Resolved Security Issues list

with an optional company/group affiliation, and links to own websites dedicated to security research.

The scope of Security Research recognition currently includes:

• MyBB 1.8.x releases,
• MyBB 1.8.x pre-release codebase.

In the case of vulnerabilities affecting themes or plugins, we additionally recommend contacting, and cooperating with, their authors privately in similar fashion.

If you have discovered a potential vulnerability or security risk, we encourage you to responsibly disclose it to us via the Private Inquiries forum.

You can also reach us at [email protected] for security concerns, however we recommend using Private Inquiries for best feedback.

You can optionally encrypt your message using public keys of at least 3 role leaders, available at https://mybb.com/about/team/.

Coordination

In order to minimize threats to privacy, safety and security of installations, their administrators and users, we urge you to not disclose any information related to your report to parties other than the MyBB Team through official communication channels until an official solution is published. The Private Inquiries section is monitored daily — avoid notifications in publicly accessible channels.

You should not test, demonstrate or exploit the vulnerability on any active MyBB installations not created to test such vulnerabilities nor the MyBB Project infrastructure or its resources — we recommend using a local copy.

Composing a Good Report

Create a short and descriptive subject (identification, location, and type of the vulnerability) with the [Vulnerability Report] prefix for each vulnerability found (or suspected).

Please compose a brief summary of the issue, followed by more detailed technical analysis. This can include:

• factors contributing to the problem,
• how the vulnerability might be exploited,
• which version was tested,
• proof-of-concept (PoC) — simple demonstration of how the vulnerability might be exploited,
• steps to reproduce the issue or arrive at a vulnerable state,
• error/access/action logs (if applicable),
• whether the vulnerability is public or known to anyone else,
• how the issue was discovered (which tools, regular expressions, checklists, etc.),
• related external resources and references (e.g. reports, analyses for similar issues in other software),
• whether other software packages are affected,
• suggested solutions (code change descriptions, patch/diff files),
• how the process can be improved to prevent similar issues in the future,
• whether publications related to the issue are planned or expected.

You can refer to the MyBB codebase using the repository — for example, you can point anyone to lines 13-16 (#L13-16) of file inc/class_session.php in MyBB 1.8.17 (/mybb_1817/) like this:

https://github.com/mybb/mybb/blob/mybb_1817/inc/class_session.php#L13-L16

More information will likely reduce the estimated resolution time.

Please remain available for contact in case more information is needed. The Private Inquiries thread will be used for feedback related to your submission by the MyBB Team.

Additionally, if you wish to be recognized publicly, please include your name, company/group affiliation, and links to personal/organization websites dedicated to security research (if applicable).

Attribution is applicable to persons/entities who, having discovered security issues, follow the disclosure process satisfying the following criteria:

• the software in question is limited to the MyBB forum software (vulnerabilities within third party extensions do not count),
• the vulnerability is technical (techniques such as social engineering or phishing do not count),
• the vulnerability affects confidentiality, integrity or availability of the software directly (disclosure of operational information included in PHP or SQL errors, spam attacks, bypassing CAPTCHAs, etc. do not count),
• the vulnerability is present in the latest stable release or reviewed, pre-release codebase of a supported software branch (vulnerabilities within development releases or older versions do not count),
• no live installations, infrastructure, or resources are tested or exploited without explicit permission of their owners (including the MyBB Project and the Community Forums),
• no details regarding the vulnerability are published before it has been addressed.

While simultaneous discoveries are evaluated on a case-by-case basis, attribution may apply to the first reporter only.

If you are not sure whether you are eligible: contact us — depending on circumstances, exceptions are possible.

Even if you do not meet the requirements to be eligible for bragging rights or have information that don’t directly translate to vulnerabilities (such as suspicion of security breaches or exploitation of MyBB boards in the wild), do not hesitate to reach us — the MyBB Team is in the best position to coordinate efforts to improve the security of our ecosystem.

As MyBB is a not-for-profit FOSS project, release times may vary greatly; nonetheless, subsequent versions are expected to address all known vulnerabilities up to the point of their release. In exceptional cases we will, otherwise, contact the reporter and continue providing follow-up information when such appears. Summaries of vulnerabilities that are not intended to be addressed in near future are published in SECURITY.md files in software repositories.

As a vulnerability reporter or external security researcher, you will likely receive multiple responses as your report is processed:

1. Report

   Your information is posted in the Private Inquiries section, tagged [Vulnerability Report], or otherwise reported to the Team.

2. Acknowledgement

   If no instant assessment is possible, a Team member will initially recognize your report, notify members responsible for handling security issues and take preliminary actions to make sure the disclosure process is correctly followed.

3. Technical Assessment

   Following internal analysis, the Team will inform you whether your submission is confirmed, invalid, or no fix is expected.

   In the case of rejection, we recommend delaying public disclosure (if applicable) by at least 7 days to mitigate risk of mistaken responses. If necessary, you can attempt to reach individual Team members personally via details provided at https://mybb.com/about/team/.

4. Consultation

   You may be asked for additional details related to the report or disclosure process. During and after the solution development, the patch details may be forwarded to you to verify that all vulnerabilities will be properly addressed in the upcoming solution.

5. Remediation

   You will be notified once the software version addressing the issue is released.

6. (Follow-up)

   MyBB aims to promote security research and increase security awareness. If you have published — or intend to publish — an analysis, article or summary after all issues have been resolved, we encourage you to point us to these resources.

   We recommend delaying the publication by at least 14 days starting from the day the solutions were officially published to give administrators time to update their installations before exploitation techniques are widely known.

You can learn how MyBB handles vulnerability reports internally from the Security Workflow.