I maintain a number of popular open source WordPress plugins which deal with user authentication and sensitive information. If you believe you've found a security issue in one of the plugins listed below, I encourage you to notify me via HackerOne. I welcome working with you to resolve the issue promptly.

Targets

• User Switching plugin for WordPress

• Query Monitor plugin for WordPress

• WP Crontrol plugin for WordPress

Qualifying Vulnerabilities

Any reproducible vulnerability that affects the security of users or their data is likely to be in scope. Common examples include:

• Cross Site Scripting

• Cross Site Request Forgery

• Server Side Request Forgery

• Remote Code Execution

• SQL Injection

• Privilege Escalation

• Unintended Information Disclosure

Invalid Targets or Bugs

• XSS when the user is logged in as an Administrator or Editor - More info here

• Code execution by users who have the edit_files capability

• Security bugs in WordPress itself - report these to the WordPress project on HackerOne instead

• Path disclosure, directory listing, and version number disclosure

• Output from automated scans - please manually verify issues and include a valid proof of concept

• Any target that is not one of the WordPress plugins listed above

• The websites the plugins are hosted on

Disclosure Policy

• Let me know as soon as possible upon discovery of a potential security issue, and I'll make every effort to quickly resolve the issue

• Provide me a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services that use my code

Rewards

I'm not currently offering financial rewards as my software is free and open source. This may change in the future.

This is a personal HackerOne program and is not associated with WordPress or the WordPress HackerOne program.