9575 policies in database
Link to program      
2014-04-14
2019-08-06
Automattic logo
Thank
Gift
HOF
Reward

Reward

Automattic

Automattic runs WordPress.com , Jetpack , VaultPress , Akismet , Gravatar , WooCommerce , Tumblr , and more. Find a complete list of projects on our website https://automattic.com/ .

Please, report vulnerabilities in the WordPress , BuddyPress , or bbPress open-source projects through theWordPress HackerOne page.

Eligibility and Responsible Disclosure

You are responsible for complying with all applicable laws and must only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.

Any public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.

Rewards

Automattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report.

Qualifying Vulnerabilities

Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)

Non-Qualifying Vulnerabilities (Out of Scope)

We are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.

Cross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. [blog].tumblr.com, cldup.com etc.

Missing Best Practices that don't pose a direct security threat will most likely not be accepted.

Fine Print

You are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.

In Scope

Scope Type Scope Name
android_application
  • Minimum OS version: API 21
android_application
  • API keys in code
android_application
  • Certificate pinning
android_application

com.tumblr

ios_application
  • Minimum OS version: iOS 11
ios_application

com.tumblr.tumblr

ios_application
  • API keys in code
ios_application
  • Certificate pinning
web_application

safe.tumblr.com

web_application

secure.tumblr.com

web_application

assets.tumblr.com

web_application

embed.tumblr.com

web_application

*.tumblr.com

web_application
  • Header: X-tumblr-user can be used to identify if the domain is a blog on the Blog Network
web_application
  • View the domain in a browser, there will be a Tumblr banner visible.
web_application
  • JavaScript is allowed; XSS is excluded from eligibility.
web_application
  • Pages can be framed; Clickjacking or other X-Frame-Options attacks are excluded from eligibility.
web_application

www.tumblr.com

web_application

t.umblr.com

web_application

*.srvcs.tumblr.com

web_application

*.txmblr.com

web_application

api.tumblr.com

Out of Scope

Scope Type Scope Name
web_application

learnboost.com,*.learnboost.com

web_application

scrollkit.com,*.scrollkit.com

web_application

afterthedeadline.com,*.afterthedeadline.com

web_application

polishmywriting.com,*.polishmywriting.com


This program have been found on Hackerone on 2014-04-14.

FireBounty © 2015-2020

Legal notices