WordPress __is an open-source publishing platform.
Our HackerOne program covers the Core software, as well as a variety of
related projects and infrastructure.
Our most critical targets are:
Source code for most websites can be found in the Meta repository (
git://meta.git.wordpress.org/). The Meta Environment
__will automatically provision
a local copy of some sites for you.
For more targets, see the
In Scope section below.
Please note that WordPress.com is a separate entity from the main
WordPress open source project. Please report vulnerabilities for WordPress.com
or the WordPress mobile apps through Automattic's HackerOne
Any reproducible vulnerability that has a severe effect on the security or
privacy of our users is likely to be in scope for the program. Common examples
include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.
We generally aren’t interested in the following problems:
- Any vulnerability with a CVSS 3 __score lower than
4.0, unless it can be combined with other vulnerabilities to achieve a higher score.
- Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
- Security vulnerabilities in WordPress plugins not specifically listed as an in-scope asset. Out of scope plugins can be reported to the Plugin Review team __.
- Reports for hacked websites. The site owner can learn more about restoring their site __.
- Disclosure of user IDs __
- Open API endpoints serving public data (Including usernames and user IDs __)
- Path disclosures for errors, warnings, or notices __
- WordPress version number disclosure
- Mixed content warnings for passive assets like images and videos
- Lack of HTTP security headers (CSP, X-XSS, etc.)
- Output from automated scans - please manually verify issues and include a valid proof of concept.
- Any non-severe vulnerability on
lists.wordpress.org, or any other low impact site.
- Clickjacking with minimal security implications
- Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.
Responsible Disclosure Guidelines
We're committed to working with security researchers to resolve the
vulnerabilities they discover. You can help us by following these simple
- Follow HackerOne's general guidelines __.
- Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment whenever possible.
- Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers. Because WordPress is distributed software rather than a SaaS, and because it has a large ecosystem of 3rd party integrations, our release process takes longer than others. That's necessary to allow us adequate time for various forms of peer-review and testing, to make sure that security fixes don't break millions of websites when they're installed automatically.
You are expected to comply with all applicable laws in connection with your
participation in this program and you are responsible for the payment of any
taxes associated with rewards received.
Hall of Fame