Flarum is a beautiful piece of software; we're here for that reason, you are here because you appreciate it. But beauty has many forms.
The beauty of extensibility, no bloated content management system.
The beauty of its mobile-first approach, user interaction on mobile or handheld devices is excellent.
Yet beauty also exists in a technical sense when you look at the underlying quality of the code, and especially when we talk about security. Using well tested components like those from Symfony and Laravel, reduces the risk of security vulnerabilities in Flarum, yet we can always do better.
Security is at the heart of any widely-used project, and that includes Flarum. The core team only has limited ability to research, identify, and fix possible vulnerabilities within our code, and our familiarity with the project means we may make assumptions about areas of code without second thought to possible exploits which may be present. Auditing allows us to more confidently deliver Flarum to everyone -- from businesses, individual forum administrators, and end-users -- and lets you have more faith in the safety and security of the project.
For this reason we have opened a new fund, to give special attention to security in Flarum. Our goal is to invest heavily in recurring audits and commissioned security fixes. To get this arranged we need hard cash. Auditors do consider discounts for open source, but still don't work for free.
Find the fund on our Open Collective: https://opencollective.com/flarum/projects/security-audits
As a result from this security focused fund:
- we will be able to identify security issues ahead of them becoming a problem
- we can solve vulnerabilities in a targeted way using clear auditing reports
- our team will be able to build better software, less prone to security vulnerabilities
- we can label our software as audited by professional security researchers
Depending on the budget, we will request a security audit immediately after each minor (1.3, 1.4) and major (2.0, 3.0) release so that we are on top of any vulnerabilities at the soonest opportunity. The resulting audit report and discovered vulnerabilities will be kept private for as long as we work on their respective patches. Such patches will be prioritized above other work and released as soon as possible. Once these vulnerabilities are resolved, we will share the reports with the community. Later this year we will open up a partner program for parties relying heavily on Flarum, these partners will get a copy of these reports immediately when available.