In our ongoing effort to provide the most secure WordPress Manager to our
users, we are offering a reward for each security vulnerability reported in
either the MainWP Dashboard plugin or the MainWP Child Plugin.
Both plugins are 100% open source
We are specifically looking for security violations that would enable access
to the users "Network" by a third party when a connection between the MainWP
Dashboard and MainWP Child Plugin has already been established. This
includes but is not limited to Cross-Site Scripting (XSS), Cross-Site Request
Forgery (CSRF/XSRF), Broken Authentication, Remote Code Execution SQL
injection, and Privilege Escalation.
We are generally not interested in DoS vulnerabilities that are perceived by a
lack of rate-limiting or captcha.
- You should install a copy of the plugins and WordPress on your own server. *
To help you get started review the KB section MainWP first steps
If you believe you've found a security issue in our plugins, we encourage you
to notify us. We welcome working with you to resolve the issue promptly.
To show our appreciation of responsible security researchers, MainWP offers a
monetary bounty for reports of qualifying security vulnerabilities. Reward
amounts will vary based upon the severity of the reported vulnerability, and
eligibility is at our sole discretion.
- Bounties will be awarded to the first reporter of a vulnerability only.
- Amounts may vary depending upon the severity of the issue and quality of the report.
- We are interested in any vulnerability in our code, however, issues that are only exploitable by having an Admin user logged on to their WordPress install are ineligible for a bounty
- Bounties are awarded at the discretion of the bug bounty team
Important Notes on Scope
- The MainWP plugins are maintained on GitHub , and you can use the Master branch of the Dashboard or Child for the latest development version or WordPress.org for the latest stable version, MainWP Dashboard MainWP Child . No other branches, forks, or versions qualify for a bounty.
Out of Scope
- The MainWP website and hosting are not within the scope
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the problem quickly.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
While researching, we'd like to ask you to refrain from:
- Security vulnerabilities in the hosting service, WordPress core, or in any part of the MainWP website (the reward is for the MainWP Dashboard and Child plugins only! See Scope and Out of Scope sections. )
- Security vulnerabilities in third-party websites, applications or Extensions that integrate with MainWP website or MainWP plugins
- Denial of service
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Social engineering (including phishing) of MainWP staff or contractors
- Any physical attempts against any MainWP property or data centers
- We are not interested in social engineering reports
- We are not interested in version disclosure reports
- We are not interested in HTTP sniffing or HTTP tampering exploits, you can assume all live MainWP Dashboard and Child installs will be HTTPS.
We will attempt to respond to reports within a week at the latest, typically
within 48 hours. (Please, keep in mind that we are distributed across time
zones, and this may cause a delay if we need to discuss internally.) Severe
issues will be handled as soon as possible, while all other issues will be
treated as part of our normal update process.
Thank you for helping keep MainWP and our users safe!
Firebounty have crawled on 2020-09-09 the program MainWP on the platform Hackerone.