Scope
I'm a developer, so I'm mostly interested in source code bugs, rather than network intrusions. Reports must meet these criteria to be accepted:
- It must show tangible/practical security implications. Theoretical scenarios and missing best practices aren't worth the time.
- It must include a PoC with complete steps to reproduce.
- It must have a medium or higher severity; low severity issues just aren't worth the time (unless they can be chained together to create a higher severity vulnerability).
- It must not be mentioned in the
Scope Exclusions section.
Reports that don't meet those criteria will be marked as Not Applicable.
Top Targets
There are more targets listed in the In Scope section below.
Bounties
| Severity | Award |
|---|
| High | $100 - $400 |
| Medium | $25-50 |
| Low | $0 |
Severity is based on CVSS 3, but may be adjusted up or down at my discretion. For example, a vulnerability in a plugin with 10,000 active installations may be higher than a vulnerability in a plugin with 100 active installations.
Scope Exclusions / Common Invalid Reports
- My personal website is not in scope. It's not important, and the constant pentesting is annoying.
- Common false reports listed on WordPress' Reporting Security Vulnerabilities page. I don't consider usernames sensitive enough to be information disclosure.
- Brute force, DoS (including XML-RPC and load-scripts.php), phishing, text injection, or social engineering attacks.
- Output from automated scans - please manually verify issues and include a valid proof of concept.
- Clickjacking with minimal security implications
- Lack of HTTP/MX security headers (CSP, X-XSS, SPF, DMARC, DKIM, etc.)
- Mixed content warnings for passive assets like images and videos
- Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.
- Rare or low-severity edge cases: Like regular bugs, not all security bugs are worth fixing. Some edge cases may be closed as
Informative. For example, CEMI attacks using standard trigger characters (like #151516) are welcome, but characters that only work in Excel, or only in old versions of software, etc are not accepted (see #124223).
Invalid reports will be disclosed in order to help other researchers and programs learn from them.
