Google Analytics Dashboard for WP (GADWP) is an open-source plugin for WordPress which connects Google Analytics with your website. You can find source code at https://github.com/deconf/Google-Analytics-Dashboard-for-WP.
Responsible Disclosure Guidelines
We are committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:
* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)
* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider installing GADWP (http://downloads.wordpress.org/plugin/google-analytics-dashboard-for-wp.latest-stable.zip) locally)
* Give us a reasonable time to correct the issue before making any information public
Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:
* Cross Site Scripting (XSS)
* Cross Site Request Forgery (CSRF)
* Server Side Request Forgery (SSRF)
* Remote Code Execution (RCE)
* SQL Injection (SQLi)
We generally aren’t interested in the following problems:
* Security vulnerabilities in WordPress core: here is where you can report them (https://hackerone.com/wordpress)
* Reports for hacked websites: here is what you can do (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)
* Open API endpoints serving public data
* Path disclosures for errors, warnings, or notices
* Plugin version number disclosure
* Mixed content warnings
* Lack of HTTP security headers
* Brute force, DDoS, phishing, text injection, or social engineering attacks
* Google Analytics platform and resources related issues
* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score
* Output from automated scans - please manually verify issues and include a valid proof of concept
If you think you found an exception, please, let us know.
At this time, we are not awarding bounties or cash rewards for reported vulnerabilities. As our vulnerability disclosure program matures, we'll start including monetary bounties for valid security reports.
Thank you for helping keep GADWP and our users safe!
Hall of Fame