# Coral

> Open-source commenting platform built for newsrooms, now maintained by Vox Media.

**Source:** https://fieldwork.news/tools/coral-project
**Official site:** https://coralproject.net
**Category:** publishing
**Also covers:** messaging

## Security rating

- **Rating:** adequate
- **Rating note (required when citing):** Open-source (Apache 2.0), 2K GitHub stars, active development (v9.11.2, Jan 2025). Self-hosted model gives full data control — a genuine advantage over Disqus. The 2021 email leak vulnerability was serious but patched fast. TypeScript codebase (71%) with verified GPG-signed releases. Main risk: Perspective API sends comment text to Google, and self-hosting security depends entirely on your own infrastructure. Adequate for most newsrooms; strong if you have competent DevOps.
- **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending
- **Last reviewed:** 2026-04-02
- **Last agent-verified:** 2026-04-02

> AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment.

## Who it is for

Newsrooms that want to own their comment infrastructure. Publications replacing Disqus or Facebook Comments with something that keeps reader data in-house.

## Editorial take

Coral is the only serious open-source commenting system built specifically for news. 120+ newsrooms in 18 countries use it, including the Wall Street Journal, Washington Post, The Intercept, and New York Magazine. That adoption matters: it means the moderation UX has been shaped by actual newsroom workflows, not blog comment culture. The Perspective API integration (Google Jigsaw) catches toxic comments before they publish — a McClatchy experiment showed 36-40% of warned commenters edited their comment to reduce toxicity. Expert badges, journalist highlighting, Q&A mode, and subscriber-only commenting are features Disqus doesn't touch. The tradeoff: self-hosting requires Docker, Node.js, and MongoDB ops knowledge. The managed hosting option removes that burden but locks you into Vox Media's pricing. Development is active — v9.11.2 shipped January 2025 with consistent monthly releases throughout 2024. For any newsroom serious about community, this is the tool.

## Best for / not for

**Best for:** Running moderated comments on news sites. Replacing Disqus or Facebook Comments. Building subscriber-gated community. Live Q&A sessions with reporters. Any publication that treats reader data as an asset, not an afterthought.

**Not for:** Small blogs or solo publishers (self-hosting overhead is real). Sites that want comments with zero technical setup — Disqus is simpler. Publications without any moderation capacity — comments without moderation are worse than no comments.

## Pricing

- **Pricing:** Free self-hosted (Apache 2.0). Vox Media offers a managed hosting tier with setup, SSO integration, and strategy support — pricing is quote-based, not published.
- **Free option:** yes

## Security & privacy details

- **Encryption in transit:** yes
- **Encryption at rest:** yes
- **Data jurisdiction:** Self-hosted: you choose the jurisdiction. Managed hosting: Vox Media infrastructure — confirm data residency before signing.

**Privacy policy TL;DR:** Self-hosted Coral stores all reader data on your servers. No telemetry to Vox Media. The one exception: if you enable the Perspective API toxic comment filter, comment text is sent to Google's servers for scoring. Managed hosting means Vox Media holds your data — review their DPA.

**Practical mitigations (operational guidance, not optional):**

Host in a jurisdiction appropriate for your audience. If you enable Perspective API, know that comment text leaves your infrastructure. Configure pre-moderation on high-risk stories. Set up the toxic comment threshold before launch — the default is permissive. Have a moderation staffing plan for breaking news spikes.

## Ownership & business

- **Owner:** Vox Media (acquired 2019, originally a Mozilla / NYT / WaPo / Knight-Mozilla OpenNews collaboration)
- **Funding model:** Knight Foundation grants (2015-2019). Now funded by Vox Media as internal infrastructure — they run it on all SB Nation, The Verge, and Vox.com properties.
- **Business model:** Open-source core (Apache 2.0). Revenue from managed hosting and consulting. Vox Media uses Coral across its own properties, which guarantees continued development — they're a customer of their own product.
- **Open source:** yes
- **Built for journalism:** yes

**Known issues:** Self-hosting requires Docker + MongoDB + Node.js ops — not trivial for small teams. A 2021 GraphQL vulnerability (issue #3600) leaked user emails via unauthenticated queries; patched within 24 hours but disclosed publicly after maintainers were slow to respond to the private report. SB Nation community rollout (2020-2021) drew user complaints: no new-comment highlighting, limited threading, mobile comment truncation, aggressive auto-spam flagging. Perspective API toxicity scoring has known bias issues with African-American English and identity terms — Google has improved this but it's not solved. Quote-based pricing for managed hosting means no public cost comparison is possible. 48 open issues on GitHub as of early 2025.

---
Canonical HTML: https://fieldwork.news/tools/coral-project
Full dataset: https://fieldwork.news/llms-full.txt
Methodology: https://fieldwork.news/methodology