Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
18/04/2017
WordPress logo
Thanks
Gift
Hall of Fame
Reward

Reward

In Scope

Scope Type Scope Name
undefined https://buddypress.org/download/ __
undefined info@edgewall.com
undefined https://wordpress.org/download/source/ __
undefined https://bbpress.org/download/ __
undefined the "wordpressdotorg" account __
undefined https://github.com/WordPress/gutenberg __
web_application api.wordpress.org
web_application *.buddypress.org,bbpress.org,profiles.wordpress.org
web_application *.wordcamp.org
web_application planet.wordpress.org
web_application wordpressfoundation.org
web_application mercantile.wordpress.org
web_application lists.wordpress.org
web_application *.wordpress.net
web_application irclogs.wordpress.org
web_application munin-*.wordpress.org
web_application login.wordpress.org
web_application developer.wordpress.org
web_application make.wordpress.org
web_application translate.wordpress.org
web_application global.wordpress.org, {locale}.wordpress.org (e.g., de.wordpress.org, es-mx.wordpress.org)
web_application learn.wordpress.org
web_application These are wikis, they're intended to be freely edited by anonymous users. We are not interested in vulnerabilities unless they have a severe impact.
web_application the GlotPress organization __
web_application the WP-CLI organization __
web_application doaction.org

Out of Scope

Scope Type Scope Name
android_application org.wordpress.android
other We own and operate dedicated servers, rather than using services like AWS, Digital Ocean, etc. Third-parties frequently create S3 buckets, droplets, etc that have security issues, and have "WordPress" in the name. These are not ours, and reports about them will be closed as
undefined https://github.com/wordpress-mobile/
web_application *.wordpress.com
web_application Automattic's HackerOne program

WordPress

WordPress __is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.

Our most critical targets are:

Source code for most websites can be found in the Meta repository (git clone git://meta.git.wordpress.org/). The Meta Environment __will automatically provision a local copy of some sites for you.

For more targets, see the In Scope section below.

Please note that WordPress.com is a separate entity from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through Automattic's HackerOne page.

Qualifying Vulnerabilities

Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.

We generally aren’t interested in the following problems:

  • Any vulnerability with a CVSS 3 __score lower than4.0, unless it can be combined with other vulnerabilities to achieve a higher score.
  • Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
  • Security vulnerabilities in WordPress plugins not specifically listed as an in-scope asset. Out of scope plugins can be reported to the Plugin Review team __.
  • Reports for hacked websites. The site owner can learn more about restoring their site __.
  • Users with administrator or editor privileges can post arbitrary JavaScript __
  • Disclosure of user IDs __
  • Open API endpoints serving public data (Including usernames and user IDs __)
  • Path disclosures for errors, warnings, or notices __
  • WordPress version number disclosure
  • Mixed content warnings for passive assets like images and videos
  • Lack of HTTP security headers (CSP, X-XSS, etc.)
  • Output from automated scans - please manually verify issues and include a valid proof of concept.
  • Any non-severe vulnerability on irclogs.wordpress.org, lists.wordpress.org, or any other low impact site.
  • Clickjacking with minimal security implications
  • Vulnerabilities in Composer/NPM devDependencies, unless there's a practical way to exploit it remotely.
  • Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.

Guidelines

We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:

  • Follow HackerOne's disclosure guidelines __.
  • Pen-testing Production:
    • Please setup a local environment instead whenever possible. Most of our code is open source (see above).
    • If that's not possible, limit any data access/modification to the bare minimum necessary to reproduce a PoC.
    • Don 't automate form submissions! That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
    • If you don't follow these guidelines we will not award a bounty for the report.
  • Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers. WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.

We also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.

FireBounty © 2015-2019

Legal notices