| 1 | # Security Policy |
| 2 | |
| 3 | ## Supported Versions |
| 4 | |
| 5 | Use this section to tell people about which versions of your project are |
| 6 | currently being supported with security updates. |
| 7 | |
| 8 | | Version | Supported | |
| 9 | | ------- | ------------------ | |
| 10 | | 5.2.x | :white_check_mark: | |
| 11 | | 5.1.x | :white_check_mark: | |
| 12 | | 5.0.x | :white_check_mark: | |
| 13 | | 4.9.x | :white_check_mark: | |
| 14 | | 4.8.x | :white_check_mark: | |
| 15 | | 4.7.x | :white_check_mark: | |
| 16 | | 4.6.x | :white_check_mark: | |
| 17 | | 4.5.x | :white_check_mark: | |
| 18 | | 4.4.x | :white_check_mark: | |
| 19 | | 4.3.x | :white_check_mark: | |
| 20 | | 4.2.x | :white_check_mark: | |
| 21 | | 4.1.x | :white_check_mark: | |
| 22 | | 4.0.x | :white_check_mark: | |
| 23 | | 3.9.x | :white_check_mark: | |
| 24 | | 3.8.x | :white_check_mark: | |
| 25 | | 3.7.x | :white_check_mark: | |
| 26 | | < 3.7.0 | :x: | |
| 27 | |
| 28 | ## Reporting a Vulnerability |
| 29 | |
| 30 | [<span>WordPress</span>](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure. |
| 31 | |
| 32 | Our most critical targets are: |
| 33 | |
| 34 | * WordPress Core [<span>software</span>](https://wordpress.org/download/source/), [<span>API</span>](https://codex.wordpress.org/WordPress.org_API), and [<span>website</span>](https://wordpress.org/). |
| 35 | * Gutenberg [<span>software</span>](https://github.com/WordPress/gutenberg/) and Classic Editor [<span>software</span>](https://wordpress.org/plugins/classic-editor/). |
| 36 | * WP-CLI [<span>software</span>](https://github.com/wp-cli/) and [<span>website</span>](https://wp-cli.org/). |
| 37 | * BuddyPress [<span>software</span>](https://buddypress.org/download/) and [<span>website</span>](https://buddypress.org/). |
| 38 | * bbPress [<span>software</span>](https://bbpress.org/download/) and [<span>website</span>](https://bbpress.org/). |
| 39 | * GlotPress [<span>software</span>](https://github.com/glotpress/glotpress-wp) (but not the website). |
| 40 | * WordCamp.org [<span>website</span>](https://central.wordcamp.org). |
| 41 | |
| 42 | Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [<span>The Meta Environment</span>](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you. |
| 43 | |
| 44 | For more targets, see the `In Scope` section below. |
| 45 | |
| 46 | _Please note that **WordPress.com is a separate entity** from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic)._ |
| 47 | |
| 48 | ## Qualifying Vulnerabilities |
| 49 | |
| 50 | Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation. |
| 51 | |
| 52 | We generally **aren’t** interested in the following problems: |
| 53 | |
| 54 | * Any vulnerability with a [<span>CVSS 3</span>](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score. |
| 55 | * Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them. |
| 56 | * Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [<span>reported to the Plugin Review team</span>](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report). |
| 57 | * Reports for hacked websites. The site owner can [<span>learn more about restoring their site</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now). |
| 58 | * [<span>Users with administrator or editor privileges can post arbitrary JavaScript</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html) |
| 59 | * [<span>Disclosure of user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue) |
| 60 | * Open API endpoints serving public data (Including [<span>usernames and user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)) |
| 61 | * [<span>Path disclosures for errors, warnings, or notices</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files) |
| 62 | * WordPress version number disclosure |
| 63 | * Mixed content warnings for passive assets like images and videos |
| 64 | * Lack of HTTP security headers (CSP, X-XSS, etc.) |
| 65 | * Output from automated scans - please manually verify issues and include a valid proof of concept. |
| 66 | * Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site. |
| 67 | * Clickjacking with minimal security implications |
| 68 | * Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely. |
| 69 | * Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC. |
| 70 | |
| 71 | ## Guidelines |
| 72 | |
| 73 | We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines: |
| 74 | |
| 75 | * Follow [<span>HackerOne's disclosure guidelines</span>](https://www.hackerone.com/disclosure-guidelines). |
| 76 | * Pen-testing Production: |
| 77 | * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above). |
| 78 | * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC. |
| 79 | * **_Don't_ automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels. |
| 80 | * If you don't follow these guidelines **we will not award a bounty for the report.** |
| 81 | * Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers. WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically. |
| 82 | |
| 83 | We also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties. |