Opened 5 weeks ago
Last modified 3 weeks ago
#62134 reopened defect (bug)
Security Issue in WordPress Core
Reported by: | impervaoffset | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | privacy | Cc: |
Description
Hi,
A few months ago, we reported a security issue by sending emails to multiple addresses under the wordpress.org domain. Unfortunately, we are unable to submit vulnerability reports through HackerOne, as, being employees of Imperva, we cannot agree to the terms of use of Bug Bounty platforms on behalf of the company.
We received a response from dpo @ wordpress.org, but after providing the details of the vulnerability, we have not heard back.
If you have an additional email address where we can send the vulnerability details, we would be happy to forward our report there as well.
Please be aware that we follow a 90-day disclosure policy, meaning we will make our findings public 90 days after the initial disclosure.
Change History (5)
#1
@
5 weeks ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
#2
@
5 weeks ago
Hi John,
We previously reached out to WordPress via this email address on July 3, 2024, but we have not received a response. We are now sending the full report and would appreciate it if you could confirm receipt.
Thank you!
#3
follow-up:
↓ 4
@
5 weeks ago
Hi @impervaoffset, somebody from the security team will be in touch soon.
#4
in reply to:
↑ 3
@
4 weeks ago
Replying to johnbillion:
Hi @impervaoffset, somebody from the security team will be in touch soon.
No one from the security team has contacted us yet, nor have we received any confirmation regarding the receipt of the vulnerability details. Could you please follow up on this?
Hi @impervaoffset, please email the report in full to
security@wordpress.org
. Thanks in advance!It's worth noting that we work with several other cyber security organisations via HackerOne. If you could let us know the specific terms that you're unable to agree with then we'll pass this on to HackerOne.
I'll close this ticket off but conversation can continue here as necessary.