7943 policies in database
Link to program      
MainWP logo



In our ongoing effort to provide the most secure WordPress Manager to our users, we are offering a reward for each security vulnerability reported in either the MainWP Dashboard plugin or the MainWP Child Plugin.

Both plugins are 100% open source

We are specifically looking for security violations that would enable access to the users "Network" by a third party when a connection between the MainWP Dashboard and MainWP Child Plugin has already been established. This includes but is not limited to Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Broken Authentication, Remote Code Execution SQL injection, and Privilege Escalation.

We are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha.

  • You should install a copy of the plugins and WordPress on your own server. *

To help you get started review the KB section MainWP first steps

If you believe you've found a security issue in our plugins, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Bounty Program

To show our appreciation of responsible security researchers, MainWP offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

  • Bounties will be awarded to the first reporter of a vulnerability only.
  • Amounts may vary depending upon the severity of the issue and quality of the report.
  • We are interested in any vulnerability in our code, however, issues that are only exploitable by having an Admin user logged on to their WordPress install are ineligible for a bounty
  • Bounties are awarded at the discretion of the bug bounty team


Important Notes on Scope

  • The MainWP plugins are maintained on GitHub , and you can use the Master branch of the Dashboard or Child for the latest development version or WordPress.org for the latest stable version, MainWP Dashboard MainWP Child . No other branches, forks, or versions qualify for a bounty.

Out of Scope

  • The MainWP website and hosting are not within the scope

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the problem quickly.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.


While researching, we'd like to ask you to refrain from:

  • Security vulnerabilities in the hosting service, WordPress core, or in any part of the MainWP website (the reward is for the MainWP Dashboard and Child plugins only! See Scope and Out of Scope sections. )
  • Security vulnerabilities in third-party websites, applications or Extensions that integrate with MainWP website or MainWP plugins
  • Denial of service
  • Spamming
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Social engineering (including phishing) of MainWP staff or contractors
  • Any physical attempts against any MainWP property or data centers
  • We are not interested in social engineering reports
  • We are not interested in version disclosure reports
  • We are not interested in HTTP sniffing or HTTP tampering exploits, you can assume all live MainWP Dashboard and Child installs will be HTTPS.

Response Times

We will attempt to respond to reports within a week at the latest, typically within 48 hours. (Please, keep in mind that we are distributed across time zones, and this may cause a delay if we need to discuss internally.) Severe issues will be handled as soon as possible, while all other issues will be treated as part of our normal update process.

Thank you for helping keep MainWP and our users safe!

In Scope

Scope Type Scope Name




Firebounty have crawled on 2020-09-09 the program MainWP on the platform Hackerone.

FireBounty © 2015-2020

Legal notices