Changeset 54934
- Timestamp:
- 12/05/2022 09:23:32 PM (2 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/SECURITY.md
r54919 r54934 35 35 ## Reporting a Vulnerability 36 36 37 [ <span>WordPress</span>](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.37 [WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure. 38 38 39 39 Our most critical targets are: 40 40 41 * WordPress Core [ <span>software</span>](https://wordpress.org/download/source/), [<span>API</span>](https://codex.wordpress.org/WordPress.org_API), and [<span>website</span>](https://wordpress.org/).42 * Gutenberg [ <span>software</span>](https://github.com/WordPress/gutenberg/) and Classic Editor [<span>software</span>](https://wordpress.org/plugins/classic-editor/).43 * WP-CLI [ <span>software</span>](https://github.com/wp-cli/) and [<span>website</span>](https://wp-cli.org/).44 * BuddyPress [ <span>software</span>](https://buddypress.org/download/) and [<span>website</span>](https://buddypress.org/).45 * bbPress [ <span>software</span>](https://bbpress.org/download/) and [<span>website</span>](https://bbpress.org/).46 * GlotPress [ <span>software</span>](https://github.com/glotpress/glotpress-wp) (but not the website).47 * WordCamp.org [ <span>website</span>](https://central.wordcamp.org).41 * WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/). 42 * Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/). 43 * WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/). 44 * BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/). 45 * bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/). 46 * GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website). 47 * WordCamp.org [website](https://central.wordcamp.org). 48 48 49 Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [ <span>The Meta Environment</span>](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.49 Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you. 50 50 51 51 For more targets, see the `In Scope` section below. … … 59 59 We generally **aren’t** interested in the following problems: 60 60 61 * Any vulnerability with a [ <span>CVSS 3</span>](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.61 * Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score. 62 62 * Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them. 63 * Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [ <span>reported to the Plugin Review team</span>](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).64 * Reports for hacked websites. The site owner can [ <span>learn more about restoring their site</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).65 * [ <span>Users with administrator or editor privileges can post arbitrary JavaScript</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)66 * [ <span>Disclosure of user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)67 * Open API endpoints serving public data (Including [ <span>usernames and user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))68 * [ <span>Path disclosures for errors, warnings, or notices</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)63 * Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report). 64 * Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now). 65 * [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html) 66 * [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue) 67 * Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)) 68 * [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files) 69 69 * WordPress version number disclosure 70 70 * Mixed content warnings for passive assets like images and videos … … 80 80 We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines: 81 81 82 * Follow [ <span>HackerOne's disclosure guidelines</span>](https://www.hackerone.com/disclosure-guidelines).82 * Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). 83 83 * Pen-testing Production: 84 84 * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).
Note: See TracChangeset
for help on using the changeset viewer.