9575 policies in database
Link to program      
2014-04-23
2020-01-09
Ian Dunn logo
Thank
Gift
HOF
Reward

Reward

Ian Dunn

Scope

Bounties are usually only paid for source code vulnerabilities in the assets listed in the In Scope section below. Low severity reports will often be closed as Informative, since they're not worth the time.

Top Targets

There are more targets listed in the In Scope section below.

Bounties

Severity | Award
---|---
High | $100 - $400
Medium | $50
Low | $0 - $25

Severity is based on CVSS 3 , but may be adjusted up or down at my discretion. For example, a vulnerability in a plugin with 10,000 active installations may be higher than a vulnerability in a plugin with 100 active installations.

To qualify, reports must include a PoC and have complete steps to reproduce. There must be practical and demonstrable security implications , not just a theoretical scenario, or a missing best practice.

Scope Exclusions / Common Invalid Reports

  • Rare or low-severity edge cases : Like regular bugs, not all security bugs are worth fixing. Some edge cases may be closed as Informative. For example, CEMI attacks using standard trigger characters (like #151516) are welcome, but characters that only work in Excel, or only in old versions of software, etc are not accepted (see #124223).
  • Common false reports listed on WordPress' Reporting Security Vulnerabilities page .
  • Brute force, DoS (including XML-RPC and load-scripts.php), phishing, text injection, or social engineering attacks.
  • Mixed content warnings for passive assets like images and videos
  • Lack of HTTP security headers (CSP, X-XSS, etc.)
  • Output from automated scans - please manually verify issues and include a valid proof of concept.
  • Clickjacking with minimal security implications
  • Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.

Invalid reports will be disclosed in order to help other researchers and programs learn from them.

In Scope

Scope Type Scope Name
undefined
  • Manage Tags Capabilities is not covered, since I don't have commit access to it.
undefined
  • CampTix, CampTix Network Tools, P2 New Post Categories, Tagregator, and SupportFlow should be submitted to WordPress instead, because they're Meta team projects.
web_application

iandunn.name

web_application

https://profiles.wordpress.org/iandunn#content-plugins

web_application
  • Email Post Changes and Jetpack should be submitted to Automattic instead.
web_application

WordPress' HackerOne program

web_application

https://github.com/iandunn?tab=repositories&type=source


This program feature scope type like undefined, web_application.

FireBounty © 2015-2020

Legal notices