Scope

I'm a developer, so I'm mostly interested in source code bugs, rather than network intrusions. Reports must meet these criteria to be accepted:

• It must show tangible/practical security implications. Theoretical scenarios and missing best practices aren't worth the time.

• It must include a PoC with complete steps to reproduce.

• It must have a medium or higher severity; low severity issues just aren't worth the time (unless they can be chained together to create a higher severity vulnerability).

• It must not be mentioned in the Scope Exclusions section.

Reports that don't meet those criteria will be marked as Not Applicable.

Top Targets

• Compassionate Comments

• Regolith

• Quick Navigation Interface

There are more targets listed in the In Scope section below.

Bounties

| Severity | Award |

| -------- | ------------- |

| High | $100 - $400 |

| Medium | $25-50 |

| Low | $0 |

Severity is based on CVSS 3, but may be adjusted up or down at my discretion. For example, a vulnerability in a plugin with 10,000 active installations may be higher than a vulnerability in a plugin with 100 active installations.

Scope Exclusions / Common Invalid Reports

• My personal website is not in scope. It's not important, and the constant pentesting is annoying.

• Common false reports listed on WordPress' Reporting Security Vulnerabilities page. I don't consider usernames sensitive enough to be information disclosure.

• Brute force, DoS (including XML-RPC and load-scripts.php), phishing, text injection, or social engineering attacks.

• Output from automated scans - please manually verify issues and include a valid proof of concept.

• Clickjacking with minimal security implications

• Lack of HTTP/MX security headers (CSP, X-XSS, SPF, DMARC, DKIM, etc.)

• Mixed content warnings for passive assets like images and videos

• Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.

• Rare or low-severity edge cases: Like regular bugs, not all security bugs are worth fixing. Some edge cases may be closed as Informative. For example, CEMI attacks using standard trigger characters (like #151516) are welcome, but characters that only work in Excel, or only in old versions of software, etc are not accepted (see #124223).

Invalid reports will be disclosed in order to help other researchers and programs learn from them.