We're interested in source code vulnerabilities in the targets listed below.
In order of importance:
Please note that at present the wordpoints.org website is not considered a valid target.
/srcdirectory of the repository. In these cases, only code within the
/srcdirectory is in scope, since only that code is distributed and installed. This is only important when you're looking at one of the development branches. You can also download the code for the latest release (e.g., for WordPoints ), and in that case, the package will only contain the production code.
When reporting a vulnerability, please include a POC if possible. That will help us to validate the report as quickly as possible, and will also save you from reporting false bugs.
We offer small bounties for valid bugs. We may award larger bounties if we think the bug is more serious.
Path Disclosure: That's really a server issue, and any competent admin will have
display_errors disabled on production boxes.
Directory Listing: Similar to path disclosure, this isn't really a concern. Many of the projects are open source, so an attacker can already easily determine the directory structure. Only if a directory is created after the plugin/extension is installed would there be any concern of sensitive information being disclosed.
Version Disclosure: Hiding the names or versions of software that a service is running is just security through obscurity.
XSS: Reports of XSS vulnerabilities are welcome. However, in WordPress some user Roles are trusted and are allowed to post unfiltered HTML on the front end of the site. An XSS vulnerability may not be considered valid if it can only be exploited by users who have the
unfiltered_html capability, and if it does not affect the administration panels. If you're unsure whether an XSS bug is valid, please report it anyway.
Nonce Persistence: WordPress uses CSRF tokens called "nonces". However, unlike true nonces, they aren't used only once, but expire after a limited time . If you see the same nonce token value being used repeatedly, that is probably why.
GET requests: The WordPress developers have built the nonce system to be fairly robust against leaking of nonces in
GET requests. WordPress actually includes a function for adding a nonce as a
GET parameter to a URL, wp_nonce_url() . This is generally considered an accepted risk. If you think that a particular case of using an nonce in a
GET request poses a significant risk, please report it anyway.
File Uploads: WordPoints allows users with sufficient capabilities to upload arbitrary files to the server. We are only interested in vulnerabilities related to file uploads if they can be exploited by users who do not have the
Outside Scope: Only source code bugs are within scope; vulnerabilities at the server or network layer are not in scope.
Invalid targets: The wordpoints.org website is not a valid target. Please see the Targets section above for a list of valid targets.
|Scope Type||Scope Name|
This program have been found on Hackerone on 2014-10-31.