[{"id":3765489,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [WordPress VIP](https://wpvip.com/), [Beeper](https://beeper.com), [Texts](https://texts.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $500 |\n| High | $600 | $300 |\n| Medium | $300 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. If an asset is not in active development, the awards will be adjusted.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\"Follow-Ups\" WooCommerce extension is out of scope.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-04T12:53:02.880Z"},{"id":3754833,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [WordPress VIP](https://wpvip.com/), [Beeper](https://beeper.com), [Texts](https://texts.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $500 |\n| High | $600 | $300 |\n| Medium | $300 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\"Follow-Ups\" WooCommerce extension is out of scope.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-05T17:21:49.152Z"},{"id":3741282,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [Beeper](https://beeper.com), [Texts](https://texts.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $500 |\n| High | $600 | $300 |\n| Medium | $300 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\"Follow-Ups\" WooCommerce extension is out of scope.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-05T21:08:18.310Z"},{"id":3712299,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [Texts](https://texts.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $500 |\n| High | $600 | $300 |\n| Medium | $300 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\"Follow-Ups\" WooCommerce extension is out of scope.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-07T21:28:04.131Z"},{"id":3706282,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $500 |\n| High | $600 | $300 |\n| Medium | $300 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\"Follow-Ups\" WooCommerce extension is out of scope.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-01T10:38:33.217Z"},{"id":3686417,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com/Tumblr.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $500 |\n| High | $600 | $300 |\n| Medium | $300 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\"Follow-Ups\" WooCommerce extension is out of scope.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-20T12:59:16.761Z"},{"id":3651081,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com/Tumblr.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $500 |\n| High | $600 | $300 |\n| Medium | $300 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-13T10:21:18.676Z"},{"id":3648351,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com/Tumblr.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $600 |\n| High | $750 | $400 |\n| Medium | $400 | $200 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-03T05:01:42.606Z"},{"id":3648350,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Rewards\n\n| Severity | WordPress.com/Tumblr.com | Everything Else  |\n|-|-|-|\n| Critical | $1,000 | $700 |\n| High | $750 | $500 |\n| Medium | $400 | $300 |\n| Low | $100 | $100 |\n\nThe table above outlines the nominal rewards for in-scope assets. Automattic, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.\n\nAmounts may vary depending upon the severity of the issue and quality of the report. \n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-03T04:59:21.085Z"},{"id":3648244,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-01T08:51:54.234Z"},{"id":3648031,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nTabnabbing vulnerabilities are out of scope.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-25T19:33:43.578Z"},{"id":3646855,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), [Simplenote](https://simplenote.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-15T07:44:56.122Z"},{"id":3646221,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n### Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n- Description of the vulnerability\n- Steps to reproduce the reported vulnerability\n- Proof of exploitability (e.g. screenshot, video)\n- Perceived impact to another user or the organization\n- Proposed [CVSSv3](https://www.first.org/cvss/calculator/3.0) Vector \u0026 Score (without environmental and temporal modifiers)\n- List of URLs and affected parameters\n- Other vulnerable URLs, additional payloads, Proof-of-Concept code\n- Browser, OS and/or app version used during testing\n\n*Note: Failure to adhere to these minimum requirements may result in the loss of a reward.*\n\n**All supporting evidence and other attachments must be stored only within the report you submit.** Do not host any files on external services.\n\n#### Same Bug, Different Host\n\nFor each report, please allow Automattic sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report. Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.\n\n#### Same Payload, Different Parameter\n\nIn some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T08:21:50.635Z"},{"id":3639462,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nMissing Best Practices that don't pose a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-10T17:37:44.173Z"},{"id":3632321,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), [Tumblr](https://tumblr.com/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nMissing Best Practices that don't post a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-05T18:50:50.594Z"},{"id":3632033,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [Cloudup](https://cloudup.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nNon-Qualifying Vulnerabilities (Out of Scope)\n---------------------------------------------\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\nCross Site Scripting (XSS) is out of scope for all impactless domains where arbitrary HTML / JavaScript is intentionally allowed, e.g. `[blog].tumblr.com`, `cldup.com` etc.\n\nMissing Best Practices that don't post a direct security threat will most likely not be accepted.\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-02T20:04:49.757Z"},{"id":3551791,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [Cloudup](https://cloudup.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), and more. Find a complete list of projects on our website https://automattic.com/.\n\n\u003e **Please, report vulnerabilities in the [WordPress](http://wordpress.org),  [BuddyPress](http://buddypress.org), or  [bbPress](http://bbpress.org) open-source projects through the [WordPress HackerOne page](https://hackerone.com/wordpress).**\n\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-20T16:45:42.304Z"},{"id":3544426,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [Jetpack](https://jetpack.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [Cloudup](https://cloudup.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), and more. Find a complete list of projects on our website https://automattic.com/.\n\nWe also welcome reports for the open source projects [WordPress](http://wordpress.org), [BuddyPress](http://buddypress.org), and [bbPress](http://bbpress.org).\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-09T09:43:25.789Z"},{"id":1738976,"new_policy":"Automattic runs [WordPress.com](https://wordpress.com/), [VaultPress](https://vaultpress.com/), [Akismet](https://akismet.com/), [Gravatar](https://gravatar.com/), [Cloudup](https://cloudup.com/), [WooCommerce](http://www.woothemes.com/woocommerce/), and more. Find a complete list of projects on our website https://automattic.com/.\n\nWe also welcome reports for the open source projects [WordPress](http://wordpress.org), [BuddyPress](http://buddypress.org), and [bbPress](http://bbpress.org).\n\n\nEligibility and Responsible Disclosure\n--------------------------------------\nYou are responsible for complying with all applicable laws and **must** only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.\n\nAny public disclosure of issues prior to resolution may result in disqualification from the program. Individuals who we are legally prohibited from paying, such as those residing in a country on a U.S. sanctions list, are ineligible for rewards.\n\n\nRewards\n-------\nAutomattic may, at its own discretion, provide a bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only. Amounts may vary depending upon the severity of the issue and quality of the report. \n\n\nQualifying Vulnerabilities\n--------------------------\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Server Side Request Forgery (SSRF)\n - Remote Code Execution (RCE)\n - SQL Injection (SQLi)\n\nWe are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.\n\n\nFine Print\n--------------\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-08-11T02:54:04.951Z"},{"id":1433215,"new_policy":"Automattic runs WordPress.com, VaultPress, Akismet, Gravatar, Simperium, Cloudup, and more.  Find a complete list of projects on our website http://automattic.com/.  We also welcome bug reports for the open source projects WordPress, BuddyPress, and bbPress.\n\nPlease note that we are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha.  As a web-scale service, our threshold for rate limiting is higher than you would probably expect.  Of course, if you think you have found an exception to this rule, please let us know.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-06T10:13:30.760Z"},{"id":1433212,"new_policy":"\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-06T10:12:48.725Z"}]