Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
JohnBlackbourn logo
Hall of Fame


I maintain a number of popular open source WordPress plugins which deal with user authentication and sensitive information. I believe that the more eyes that software sees, the more secure it can be. If you believe you've found a security issue in one of the plugins listed below, I encourage you to notify me via HackerOne. I welcome working with you to resolve the issue promptly.


Qualifying Vulnerabilities

Any reproducible vulnerability that affects the security of users or their data is likely to be in scope. Common examples include:

  • Cross Site Scripting.
  • Cross Site Request Forgery.
  • Server Side Request Forgery.
  • Remote Code Execution.
  • SQL Injection.
  • Privilege Escalation.
  • Unintended Information Disclosure.

Invalid Targets or Bugs

  • XSS when the user is logged in as an Administrator or Editor - More info here __.
  • Code execution by users who have the edit_files capability.
  • Security bugs in WordPress itself - report these to the WordPress project on HackerOne instead.
  • Path disclosure, directory listing, and version number disclosure.
  • Output from automated scans - please manually verify issues and include a valid proof of concept.

If in doubt, please go ahead and open a report.

Disclosure Policy

  • Let me know as soon as possible upon discovery of a potential security issue, and I'll make every effort to quickly resolve the issue.
  • Provide me a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services that use my code.


I'm not currently offering financial rewards as my software is free and open source. This may change in the future.

This is a personal HackerOne program and is not associated with WordPress or the WordPress HackerOne program.

In Scope

Scope Type Scope Name





WP Crontrol plugin for WordPress __


Query Monitor plugin for WordPress __


User Switching plugin for WordPress __


Global Post Password plugin for WordPress __

This programe feature scope type like web_application, undefined.

FireBounty © 2015-2019

Legal notices