No technology is perfect, and we at MapsMarker.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Scope

Bounties are usually only valid for source code vulnerabilities in the valid targets listed below.

You should install a copy of Maps Marker Pro on your own server. Do not test on servers you do not own.

Please refrain from accessing private information, performing actions that may negatively affect Maps Marker Pro users (spam, denial of service), or sending reports from automated tools without verifying them. We also discourage the use of vulnerability testing tools that automatically generate significant traffic.

Targets

• WordPress Plugin Maps Marker Pro __(parts of the sourcecode are obfuscated to protect the license - reports about how to overcome that license protection are not considered as valid target; this plugin also includes mechanism to start a free 30 days trial - anyway on localhost instances no license key needs to be activated at all)

Non targets

• Maps Marker Pro WordPress website (mapsmarker.com/*)
• Customer area __(mapsmarker.com/store/*)
• Demo Site __(demo.mapsmarker.com)
• Mapicons Collections __(mapicons.mapsmarker.com)
• Affiliate program __
• Glotpress __
• Piwik __
• WordPress Plugin Leaflet Maps Marker __

Invalid vulnerabilities

• Path Disclosure: That's really a server issue, and any competent admin will have display_errors disabled on production boxes.
• Directory Listing: Similar to path disclosure, this isn't really a concern. Many of the projects are open source, so an attacker can already easily determine the directory structure. Only if a directory is created after the plugin/module is installed would there be any concern of sensitive information being disclosed.
• Version Disclosure: Hiding the names or versions of software that a service is running is just security through obscurity.
• XSS: Reports of XSS vulnerabilities are welcome. However, in WordPress some user Roles are trusted and are allowed to post unfiltered HTML on the front end of the site. An XSS vulnerability may not be considered valid if it can only be exploited by users who have the unfiltered_html capability, and if it does affect the administration panels.
• Nonce Persistence: WordPress uses CSRF tokens called "nonces". However, unlike true nonces, they aren't used only once, but expire after a limited time. If you see the same nonce token value being used repeatedly, that is probably why.
• Nonces in GET requests: The WordPress developers have built the nonce system to be fairly robust against leaking of nonces in GET requests. WordPress actually includes a function for adding a nonce as a GET parameter to a URL, wp_nonce_url(). This is generally considered an excepted risk.
• File Uploads: WordPoints allows users with sufficient capabilities to upload arbitrary files to the server. We are only interested in vulnerabilities related to file uploads if they can be exploited by users who do not have the upload_files capability.
• Outside Scope: Vulnerabilities at the server or network layer are not in scope.
• Invalid targets: The mapsmarker.com website and all related services is not a valid target. Please see the Targets section above for a list of valid targets.
• License mechanism for Maps Marker Pro: reports about how to overcome that license protection of Maps Marker Pro are not considered as valid vulnerability.
• Missing SPF, DKIM, DNSSEC or DMARC record
• HttpOnly and Secure cookie flags
• HTTPS related (such as HSTS or SSL/TLS protocol vulnerabilities)
• Session timeouts
• Missing X-Frame or X-Content headers
• Issues related to software or protocols not under Maps Marker Pro`s control
• Reports of spam
• Bypass of URL malware detection
• Vulnerabilities only affecting users of outdated or un-patched browsers and platforms
• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
• Password and account recovery policies, such as reset link expiration or password complexity
• Vulnerabilities which can only be exploited with a WordPress admin user account

Reporting vulnerabilities

Before reporting a vulnerability related to our WordPress plugins, please check the dev changelog at https://www.mapsmarker.com/changelog/pro-dev __if a fix has already been applied to the dev version (additional reports would get closed as duplicates)
When reporting a vulnerability, please include a POC. That will help us to validate the report as quickly as possible, and will also save you from reporting false vulnerabilities.

Bounty Program

We offer free licenses for valid vulnerabilities (for example simple XSS), which package depends on the vulnerability score (valid 39€ to 719€)

We reserve the right to assess if a reported vulnerability affects non- critical data or system which we consider as non-security issue as a consequence. If this is the case, we will close the issue with status informative.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of MapsMarker.com staff or contractors
• Any physical attempts against MapsMarker.com property or data centers

Thank you for helping keep Maps Marker Pro plugin users safe!