Coral
Open-source commenting platform built for newsrooms, now maintained by Vox Media.
What should journalists know about Coral?
Coral is the only serious open-source commenting system built specifically for news. 120+ newsrooms in 18 countries use it, including the Wall Street Journal, Washington Post, The Intercept, and New York Magazine. That adoption matters: it means the moderation UX has been shaped by actual newsroom workflows, not blog comment culture. The Perspective API integration (Google Jigsaw) catches toxic comments before they publish — a McClatchy experiment showed 36-40% of warned commenters edited their comment to reduce toxicity. Expert badges, journalist highlighting, Q&A mode, and subscriber-only commenting are features Disqus doesn't touch. The tradeoff: self-hosting requires Docker, Node.js, and MongoDB ops knowledge. The managed hosting option removes that burden but locks you into Vox Media's pricing. Development is active — v9.11.2 shipped January 2025 with consistent monthly releases throughout 2024. For any newsroom serious about community, this is the tool.
Running moderated comments on news sites. Replacing Disqus or Facebook Comments. Building subscriber-gated community. Live Q&A sessions with reporters. Any publication that treats reader data as an asset, not an afterthought.
Small blogs or solo publishers (self-hosting overhead is real). Sites that want comments with zero technical setup — Disqus is simpler. Publications without any moderation capacity — comments without moderation are worse than no comments.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
Self-hosted Coral stores all reader data on your servers. No telemetry to Vox Media. The one exception: if you enable the Perspective API toxic comment filter, comment text is sent to Google's servers for scoring. Managed hosting means Vox Media holds your data — review their DPA.
How to protect yourself:
Host in a jurisdiction appropriate for your audience. If you enable Perspective API, know that comment text leaves your infrastructure. Configure pre-moderation on high-risk stories. Set up the toxic comment threshold before launch — the default is permissive. Have a moderation staffing plan for breaking news spikes.
Open-source (Apache 2.0), 2K GitHub stars, active development (v9.11.2, Jan 2025). Self-hosted model gives full data control — a genuine advantage over Disqus. The 2021 email leak vulnerability was serious but patched fast. TypeScript codebase (71%) with verified GPG-signed releases. Main risk: Perspective API sends comment text to Google, and self-hosting security depends entirely on your own infrastructure. Adequate for most newsrooms; strong if you have competent DevOps.
Who Owns This
Known issues
Self-hosting requires Docker + MongoDB + Node.js ops — not trivial for small teams. A 2021 GraphQL vulnerability (issue #3600) leaked user emails via unauthenticated queries; patched within 24 hours but disclosed publicly after maintainers were slow to respond to the private report. SB Nation community rollout (2020-2021) drew user complaints: no new-comment highlighting, limited threading, mobile comment truncation, aggressive auto-spam flagging. Perspective API toxicity scoring has known bias issues with African-American English and identity terms — Google has improved this but it's not solved. Quote-based pricing for managed hosting means no public cost comparison is possible. 48 open issues on GitHub as of early 2025.
Pricing
Free self-hosted (Apache 2.0). Vox Media offers a managed hosting tier with setup, SSO integration, and strategy support — pricing is quote-based, not published.
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.