Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
15/04/2019
WP Engine logo
Thanks
Gift
Hall of Fame
Reward

In Scope

Scope Type Scope Name
web_application wpengine.com
web_application my.wpengine.com
web_application *.wpengine.io
web_application *.wpesvc.net
web_application *.studiopress.com
web_application spressforumstg.wpengine.com
web_application studiopress.blog

Out of Scope

Scope Type Scope Name
web_application wpengine.com/contact/

WP Engine

WP Engine invites you to test the WP Engine Digital Platform. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to ecommerce extensions. Good luck and happy hunting!


Ratings:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name | Type
---|---
wpengine.com | Website
my.wpengine.com | Website
*.wpengine.io | Website
*.wpesvc.net | Website
*.studiopress.com | Website
spressforumstg.wpengine.com | Website
studiopress.blog | Website

Out of scope

Target name | Type
---|---
wpengine.com/contact/ | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of WP Engine not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Info:

  • wpengine.com is the landing page for all WP Engine services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.

  • my.wpengine.com controls authentication for WP Engine. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

  • *.wpengine.io & *.wpesvc.net are apex domains - used for micro services hosted as subdomains and service-to-service APIs - these are not meant to be consumed by the public but run on public DNS. To aid in testing, we've provided some initial OSINT for these domains: https://crt.sh/?q=%25wpengine.io & https://crt.sh/?q=%25wpesvc.net

  • *.studiopress.com, in particular studiopress.com, www.studiopress.com, and my.studiopress.com are public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

  • studiopress.blog is a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.

  • spressforumstg.wpengine.com the staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their @bugcrowdninja.com email address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.

Researchers are welcome to test functionality behind the paywall, if they wish (that falls within the scope of this bounty). However, no reimbursements will be made for money spent to access this part of the application.


Out-of-Scope:

  • Denial of Service / Distributed Denial of Service attacks
  • Support, contact forms and chats are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices