23541 policies in database
Link to program      
WordPoints logo


50 $ 



We're interested in source code vulnerabilities in the targets listed below.

The Targets

In order of importance:

Please note that at present the wordpoints.org website is not considered a valid target.

Important Notes

  • The plugin and many of the extensions are developed with the production code in the /src directory of the repository. In these cases, only code within the /src directory is in scope, since only that code is distributed and installed. This is only important when you're looking at one of the development branches. You can also download the code for the latest release (e.g., for WordPoints), and in that case, the package will only contain the production code.

  • We do not maintain old branches of the code, so only vulnerabilities present in the development version and the latest release are in scope. On GitHub these will be the develop and master branches, respectively.

Reporting Bugs

When reporting a vulnerability, please include a POC if possible. That will help us to validate the report as quickly as possible, and will also save you from reporting false bugs.

Bounty Program

We offer small bounties for valid bugs. We may award larger bounties if we think the bug is more serious.

Invalid Bugs

  • Path Disclosure: That's really a server issue, and any competent admin will have display_errors disabled on production boxes.

  • Directory Listing: Similar to path disclosure, this isn't really a concern. Many of the projects are open source, so an attacker can already easily determine the directory structure. Only if a directory is created after the plugin/extension is installed would there be any concern of sensitive information being disclosed.

  • Version Disclosure: Hiding the names or versions of software that a service is running is just security through obscurity.

  • XSS: Reports of XSS vulnerabilities are welcome. However, in WordPress some user Roles are trusted and are allowed to post unfiltered HTML on the front end of the site. An XSS vulnerability may not be considered valid if it can only be exploited by users who have the unfiltered_html capability, and if it does not affect the administration panels. If you're unsure whether an XSS bug is valid, please report it anyway.

  • Nonce Persistence: WordPress uses CSRF tokens called "nonces". However, unlike true nonces, they aren't used only once, but expire after a limited time. If you see the same nonce token value being used repeatedly, that is probably why.

  • Nonces in GET requests: The WordPress developers have built the nonce system to be fairly robust against leaking of nonces in GET requests. WordPress actually includes a function for adding a nonce as a GET parameter to a URL, wp_nonce_url(). This is generally considered an accepted risk. If you think that a particular case of using an nonce in a GET request poses a significant risk, please report it anyway.

  • File Uploads: WordPoints allows users with sufficient capabilities to upload arbitrary files to the server. We are only interested in vulnerabilities related to file uploads if they can be exploited by users who do not have the wordpoints_install_modules capability.

  • Outside Scope: Only source code bugs are within scope; vulnerabilities at the server or network layer are not in scope.

  • Invalid targets: The wordpoints.org website is not a valid target. Please see the Targets section above for a list of valid targets.

In Scope

Scope Type Scope Name




This program have been found on Hackerone on 2014-10-31.

FireBounty © 2015-2022

Legal notices