WordPress HackerOne
Target Policy
https://hackerone.com/wordpress?type=teamStructured Scope
-
Asset Identifier
Asset Type
Max Severity
-
gutenberg.run
Each subdomain of this site provides temporary live preview sites for Gutenberg pull requests. Only critical vulnerabilities should be submitted, because the impact of low/medium vulnerabilities is barely noticable.
More info: https://github.com/WordPress/gutenberg.run
URLlow -
mercantile.wordpress.org
This site runs uses [the WooCommerce plugin](https://woocommerce.com/), but we don't accept reports for that. We only accept reports for our custom code. If you find any vulnerabilities that are also present in WooCommerce itself, please [report them to Automattic](/automattic).
Please don't submit test orders (especially automated ones). They don't test any of our custom code, and are a pain to clean up.
Additionally, price manipulation is a common invalid report, please see #682344.
URLmedium -
*.trac.wordpress.org, *.svn.wordpress.org, *.git.wordpress.org, github.com/WordPress
**Do _not_ pentest Trac instances**, it's very annoying to clean up after. Setup a local environment instead; the custom source code is available via the Git command below, in the `trac.wordpress.org` subfolder. **If you ignore this you'll forfeit any bounty.**
The projects here are kept mostly for archival purposes and non-critical information disclosure will generally not be eligible for a bounty.
Only report vulnerabilities in our custom code, don't report vulnerabilities that only exist upstream in Trac itself. Report those directly to info@edgewall.com.
All source code that isn't behind authentication is intended to be public. The source code itself has `High` CVSS impact scores. The applications that manage the code (Trac, Git, SVN, etc) have `Low` scores, except for vulnerabilities that allow modifications to the source code.
Most of the source code in these domains is contained in the "meta" repository: `git clone git://meta.git.wordpress.org/`
SOURCE_CODEcritical -
http://*.buddypress.org,bbpress.org,profiles.wordpress.orgWILDCARDcritical
-
http://*.wordcamp.orgWILDCARDcritical
-
http://*.wordpress.net
All WordPress.net domains, including (but not limited to) jobs.wordpress.net.
This is a shared-hosting environment, and these are generally low-value targets, so we're usually only interested in high- and medium- severity issues that affect the entire server (not just an individual site).
WILDCARDlow -
http://munin-*.wordpress.org
We are not interested in vulnerabilities unless they have a severe impact (e.g., RCE, SSRF). Metrics data is intentionally made public.
WILDCARDlow -
http://*.wordpress.org
All wordpress.org domains that **are not listed in other assets**, including (but not limited to) the following:
* login.wordpress.org
* developer.wordpress.org
* make.wordpress.org
* translate.wordpress.org
* global.wordpress.org, {locale}.wordpress.org (e.g., de.wordpress.org, es-mx.wordpress.org)
* learn.wordpress.orgWILDCARDcritical -
https://github.com/wordpress-mobile/
**Please, report vulnerabilities for the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**
SOURCE_CODEnone -
munin-*.wordpress.org
We are not interested in vulnerabilities unless they have a severe impact (e.g., RCE, SSRF). Metrics data is intentionally made public.
WILDCARDlow -
335703880
**Please, report vulnerabilities for the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**
APPLE_STORE_APP_IDnone -
org.wordpress.android
**Please, report vulnerabilities for the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**
GOOGLE_PLAY_APP_IDnone -
WP-CLI
All code located under [the WP-CLI organization](https://github.com/wp-cli) on GitHub.
The most important targets are the main `wp-cli` repository, and any repositories for commands that are bundled with the distributed `wp-cli` source code, like `cache-command`, `scaffold-command`, etc.
Other repositories are in scope, but may have a lower importance.
SOURCE_CODEcritical -
api.wordpress.orgURLcritical
-
*.wordpress.org
All wordpress.org domains that **are not listed in other assets**, including (but not limited to) the following:
* login.wordpress.org
* developer.wordpress.org
* make.wordpress.org
* translate.wordpress.org
* global.wordpress.org, {locale}.wordpress.org (e.g., de.wordpress.org, es-mx.wordpress.org)
* learn.wordpress.orgWILDCARDcritical -
*.wordpress.net
All WordPress.net domains, including (but not limited to) jobs.wordpress.net.
This is a shared-hosting environment, and these are generally low-value targets, so we're usually only interested in high- and medium- severity issues that affect the entire server (not just an individual site).
WILDCARDlow -
doaction.orgURLcritical
-
GlotPress
All code located under [the GlotPress organization](https://github.com/GlotPress/) on GitHub.
The most important target is the `glotpress-wp` repository. Other repositories are in scope, but may have a lower importance.
SOURCE_CODEcritical -
Digital Ocean, AWS, etc
Unless otherwise noted, we own and operate dedicated servers, rather than using services like AWS, Digital Ocean, etc. Third-parties frequently create S3 buckets, droplets, etc that have security issues, and have "WordPress" in the name. These are not ours, and reports about them will be closed as `Not Applicable`.
OTHERnone -
irclogs.wordpress.org
These are public logs of very old conversations. We are not interested in vulnerabilities unless they have a severe impact (e.g., RCE, XSS, modifying the logs, etc). DoS is not severe in this case.
URLlow -
lists.wordpress.org
We are not interested in vulnerabilities unless they have a severe impact.
URLmedium -
planet.wordpress.orgURLcritical
-
*.wordpress.com
All WordPress.com vulnerabilities should be reported to [Automattic's HackerOne program](https://hackerone.com/automattic).
**WordPress.com vulnerabilities reported here will be marked as `Not Applicable`.**
WILDCARDnone -
status.wordpress.org,glotpress.blog,wordpress.tv
These are hosted on WordPress.com and we don't have access to modify the code, servers, etc. Check [Automattic's HackerOne program](https://hackerone.com/automattic) for details on reporting vulnerabilities with WordPress.com sites.
URLnone -
codex.wordpress.org,codex.bbpress.org,codex.buddypress.org
These are wikis, they're intended to be freely edited by anonymous users. We are not interested in vulnerabilities unless they have a severe impact.
URLmedium -
BBPress Core
Download source code from: https://bbpress.org/download/
SOURCE_CODEcritical -
Gutenberg
Download source code from https://github.com/WordPress/gutenberg
SOURCE_CODEcritical -
*.wordcamp.orgWILDCARDcritical
-
wordpressfoundation.orgURLmedium
-
Official WordPress plugins
Any plugin listed on the WordPress.org profile for [the "wordpressdotorg" account](https://profiles.wordpress.org/wordpressdotorg#content-plugins).
To find the source code for any of them, clicking on the name will take you to the plugin's page within the WordPress.org plugin directory. Once there, click on the `Download` button for a `.zip` file of the latest release, or click on the `Development` tab for links to the code browser and Subversion repository.
SOURCE_CODEcritical -
BuddyPress Core
Download source code from: https://buddypress.org/download/
SOURCE_CODEcritical -
*.buddypress.org,bbpress.org,profiles.wordpress.orgWILDCARDcritical
-
WordPress Core
Download source code from: https://wordpress.org/download/source/
SOURCE_CODEcritical
Target Scope Domains
- api.wordpress.org
- buddypress.org,bbpress.org,profiles.wordpress.org
- codex.wordpress.org,codex.bbpress.org,codex.buddypress.org
- doaction.org
- gutenberg.run
- irclogs.wordpress.org
- lists.wordpress.org
- mercantile.wordpress.org
- munin-wordpress.org
- planet.wordpress.org
- wordcamp.org
- wordpress.net
- wordpress.org
- wordpressfoundation.org
Tech Stack
Last Finished Scan:
- Fleet: allkxss
- Duration: 36.62 Minutes
- Finished: 1 year, 1 month ago