I maintain a number of popular open source WordPress plugins which deal with user authentication and sensitive information. I believe that the more eyes that software sees, the more secure it can be. If you believe you've found a security issue in one of the plugins listed below, I encourage you to notify me via HackerOne. I welcome working with you to resolve the issue promptly.
* User Switching plugin for WordPress (https://wordpress.org/plugins/user-switching/)
* Query Monitor plugin for WordPress (https://wordpress.org/plugins/query-monitor/)
* WP Crontrol plugin for WordPress (https://wordpress.org/plugins/wp-crontrol/)
* Global Post Password plugin for WordPress (https://wordpress.org/plugins/global-post-password/)
Any reproducible vulnerability that affects the security of users or their data is likely to be in scope. Common examples include:
* Cross Site Scripting.
* Cross Site Request Forgery.
* Server Side Request Forgery.
* Remote Code Execution.
* SQL Injection.
* Privilege Escalation.
* Unintended Information Disclosure.
Invalid Targets or Bugs
* XSS when the user is logged in as an Administrator or Editor - More info here (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/why-are-some-users-allowed-to-post-unfiltered-html).
* Code execution by users who have the edit_files capability.
* Security bugs in WordPress itself - report these to the WordPress project on HackerOne instead (https://hackerone.com/wordpress).
* Path disclosure, directory listing, and version number disclosure.
* Output from automated scans - please manually verify issues and include a valid proof of concept.
If in doubt, please go ahead and open a report.
* Let me know as soon as possible upon discovery of a potential security issue, and I'll make every effort to quickly resolve the issue.
* Provide me a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services that use my code.
I'm not currently offering financial rewards as my software is free and open source. This may change in the future.
This is a personal HackerOne program and is not associated with WordPress or the WordPress HackerOne program.
Hall of Fame