Make WordPress Core

Changeset 54934


Ignore:
Timestamp:
12/05/2022 09:23:32 PM (2 years ago)
Author:
audrasjb
Message:

Security: Remove useless span tags from SECURITY.md.

Props TobiasBg, peterwilsoncc.
Fixes #57243.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/SECURITY.md

    r54919 r54934  
    3535## Reporting a Vulnerability
    3636
    37 [<span>WordPress</span>](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.
     37[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.
    3838
    3939Our most critical targets are:
    4040
    41 *   WordPress Core [<span>software</span>](https://wordpress.org/download/source/), [<span>API</span>](https://codex.wordpress.org/WordPress.org_API), and [<span>website</span>](https://wordpress.org/).
    42 *   Gutenberg [<span>software</span>](https://github.com/WordPress/gutenberg/) and Classic Editor [<span>software</span>](https://wordpress.org/plugins/classic-editor/).
    43 *   WP-CLI [<span>software</span>](https://github.com/wp-cli/) and [<span>website</span>](https://wp-cli.org/).
    44 *   BuddyPress [<span>software</span>](https://buddypress.org/download/) and [<span>website</span>](https://buddypress.org/).
    45 *   bbPress [<span>software</span>](https://bbpress.org/download/) and [<span>website</span>](https://bbpress.org/).
    46 *   GlotPress [<span>software</span>](https://github.com/glotpress/glotpress-wp) (but not the website).
    47 *   WordCamp.org [<span>website</span>](https://central.wordcamp.org).
     41*   WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).
     42*   Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).
     43*   WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).
     44*   BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).
     45*   bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).
     46*   GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).
     47*   WordCamp.org [website](https://central.wordcamp.org).
    4848
    49 Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [<span>The Meta Environment</span>](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.
     49Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.
    5050
    5151For more targets, see the `In Scope` section below.
     
    5959We generally **aren’t** interested in the following problems:
    6060
    61 *   Any vulnerability with a [<span>CVSS 3</span>](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.
     61*   Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.
    6262*   Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
    63 *   Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [<span>reported to the Plugin Review team</span>](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).
    64 *   Reports for hacked websites. The site owner can [<span>learn more about restoring their site</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).
    65 *   [<span>Users with administrator or editor privileges can post arbitrary JavaScript</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)
    66 *   [<span>Disclosure of user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)
    67 *   Open API endpoints serving public data (Including [<span>usernames and user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))
    68 *   [<span>Path disclosures for errors, warnings, or notices</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)
     63*   Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).
     64*   Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).
     65*   [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)
     66*   [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)
     67*   Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))
     68*   [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)
    6969*   WordPress version number disclosure
    7070*   Mixed content warnings for passive assets like images and videos
     
    8080We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:
    8181
    82 *   Follow [<span>HackerOne's disclosure guidelines</span>](https://www.hackerone.com/disclosure-guidelines).
     82*   Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).
    8383*   Pen-testing Production:
    8484    *   Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).
Note: See TracChangeset for help on using the changeset viewer.