Make WordPress Core

Changeset 55670


Ignore:
Timestamp:
04/21/2023 03:17:29 AM (10 months ago)
Author:
peterwilsoncc
Message:

Security: Update GitHub security policy to refer to H1.

Update the security policy displayed on GitHub, SECURITY.md, to refer visitors to the HackerOne WordPress program for the full policy.

This allows the project to maintain a single source of truth and avoid the potential for conflicting information across the two sites.

Props desrosj, hellofromTonya, costdev.
Fixes #57937.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/SECURITY.md

    r55505 r55670  
    11# Security Policy
    22
    3 Full details of the WordPress Security Policy can be found on [HackerOne](https://hackerone.com/wordpress). You can also read more in a detailed white paper about [WordPress Security](https://wordpress.org/about/security/).
     3WordPress is an open-source publishing platform. The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately and privately of any potential vulnerabilities.
     4
     5Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.
     6
     7Full details of the WordPress Security Policy and the list of covered projects and infrastructure can be found on [HackerOne](https://hackerone.com/wordpress). You can also read more in a detailed white paper about [WordPress Security](https://wordpress.org/about/security/).
    48
    59## Supported Versions
    6 
    7 Use this section to tell people about which versions of your project are
    8 currently being supported with security updates.
    910
    1011| Version | Supported |
     
    3637## Reporting a Vulnerability
    3738
    38 [WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.
    39 
    40 Our most critical targets are:
    41 
    42 *   WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).
    43 *   Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).
    44 *   WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).
    45 *   BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).
    46 *   bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).
    47 *   GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).
    48 *   WordCamp.org [website](https://central.wordcamp.org).
    49 
    50 Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.
    51 
    52 For more targets, see the `In Scope` section below.
    53 
    54 _Please note that **WordPress.com is a separate entity** from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic)._
    55 
    56 ## Qualifying Vulnerabilities
    57 
    58 Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.
    59 
    60 We generally **aren’t** interested in the following problems:
    61 
    62 *   Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.
    63 *   Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
    64 *   Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).
    65 *   Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).
    66 *   [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)
    67 *   [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)
    68 *   Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))
    69 *   [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)
    70 *   WordPress version number disclosure
    71 *   Mixed content warnings for passive assets like images and videos
    72 *   Lack of HTTP security headers (CSP, X-XSS, etc.)
    73 *   Output from automated scans - please manually verify issues and include a valid proof of concept.
    74 *   Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.
    75 *   Clickjacking with minimal security implications
    76 *   Vulnerabilities in Composer/npm `devDependencies`, unless there's a practical way to exploit it remotely.
    77 *   Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.
    78 
    79 ## Guidelines
    80 
    81 We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:
    82 
    83 *   Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).
    84 *   Pen-testing Production:
    85     *   Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).
    86     *   If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.
    87     *   **_Don't_ automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
    88     *   If you don't follow these guidelines **we will not award a bounty for the report.**
    89 *   Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers. WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.
    90 
    91 We also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.
     39Security issues must be submitted via [HackerOne](https://hackerone.com/wordpress) and it is recommended you read the full policy document before submitting your report.
Note: See TracChangeset for help on using the changeset viewer.