Make WordPress Core

Opened 5 weeks ago

Last modified 3 weeks ago

#62134 reopened defect (bug)

Security Issue in WordPress Core

Reported by: impervaoffset's profile impervaoffset Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: privacy Cc:

Description

Hi,

A few months ago, we reported a security issue by sending emails to multiple addresses under the wordpress.org domain. Unfortunately, we are unable to submit vulnerability reports through HackerOne, as, being employees of Imperva, we cannot agree to the terms of use of Bug Bounty platforms on behalf of the company.

We received a response from dpo @ wordpress.org, but after providing the details of the vulnerability, we have not heard back.

If you have an additional email address where we can send the vulnerability details, we would be happy to forward our report there as well.

Please be aware that we follow a 90-day disclosure policy, meaning we will make our findings public 90 days after the initial disclosure.

Change History (5)

#1 @johnbillion
5 weeks ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @impervaoffset, please email the report in full to security@wordpress.org. Thanks in advance!

It's worth noting that we work with several other cyber security organisations via HackerOne. If you could let us know the specific terms that you're unable to agree with then we'll pass this on to HackerOne.

I'll close this ticket off but conversation can continue here as necessary.

#2 @impervaoffset
5 weeks ago

Hi John,

We previously reached out to WordPress via this email address on July 3, 2024, but we have not received a response. We are now sending the full report and would appreciate it if you could confirm receipt.

Thank you!

#3 follow-up: @johnbillion
5 weeks ago

Hi @impervaoffset, somebody from the security team will be in touch soon.

#4 in reply to: ↑ 3 @impervaoffset
4 weeks ago

Replying to johnbillion:

Hi @impervaoffset, somebody from the security team will be in touch soon.

No one from the security team has contacted us yet, nor have we received any confirmation regarding the receipt of the vulnerability details. Could you please follow up on this?

#5 @impervaoffset
3 weeks ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

No one from the security team has contacted us yet, nor have we received any confirmation regarding the receipt of the vulnerability details. Could you please follow up on this?

Note: See TracTickets for help on using tickets.