[{"id":3755322,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in [our GitHub account](https://github.com/WordPress/), or in the Meta repository (`git clone git://meta.git.wordpress.org/`). Many of the sites have Docker environments that will automatically provision a local copy for you to test against.\n\nFor more targets, see the `In Scope` section below.\n\n**All bounties are doubled** [if they're reported before the bug is released to users](https://make.wordpress.org/security/2019/02/13/doubling-bounties-for-vulnerabilities-discovered-before-release/).\n\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Availability of XML-RPC file without PoC demonstrating a significant security impact. As noted above, this excludes DDoS and brute force attacks.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* Self-XSS issues **within wp-admin** requiring users with `unfiltered_html` capability are not under the scope of this program. For example, script execution within `/wp-admin` as an administrator or editor on a single-site installation. Only the cases where a less-privileged user is able to execute XSS attacks on a higher-privileged user will be under the bug bounty scope.\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely.\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n* Broken Links to external resources / social media accounts in documentation, profiles, or WordCamp sites, unless a significant security impact can be shown. Broken links in documentation should be reported to https://meta.trac.wordpress.org/.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers 40% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-12T01:24:00.726Z"},{"id":3687467,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in [our GitHub account](https://github.com/WordPress/), or in the Meta repository (`git clone git://meta.git.wordpress.org/`). Many of the sites have Docker environments that will automatically provision a local copy for you to test against.\n\nFor more targets, see the `In Scope` section below.\n\n**All bounties are doubled** [if they're reported before the bug is released to users](https://make.wordpress.org/security/2019/02/13/doubling-bounties-for-vulnerabilities-discovered-before-release/).\n\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Availability of XML-RPC file without PoC demonstrating a significant security impact. As noted above, this excludes DDoS and brute force attacks.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* Self-XSS issues **within wp-admin** requiring users with `unfiltered_html` capability are not under the scope of this program. For example, script execution within `/wp-admin` as an administrator or editor on a single-site installation. Only the cases where a less-privileged user is able to execute XSS attacks on a higher-privileged user will be under the bug bounty scope.\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely.\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers 40% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-10T22:10:17.524Z"},{"id":3649368,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n**All bounties are doubled** [if they're reported before the bug is released to users](https://make.wordpress.org/security/2019/02/13/doubling-bounties-for-vulnerabilities-discovered-before-release/).\n\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Availability of XML-RPC file without PoC demonstrating a significant security impact. As noted above, this excludes DDoS and brute force attacks.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* Self-XSS issues **within wp-admin** requiring users with `unfiltered_html` capability are not under the scope of this program. For example, script execution within `/wp-admin` as an administrator or editor on a single-site installation. Only the cases where a less-privileged user is able to execute XSS attacks on a higher-privileged user will be under the bug bounty scope.\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely.\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers 40% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-02T17:43:38.899Z"},{"id":3646087,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n**All bounties are doubled** [if they're reported before the bug is released to users](https://make.wordpress.org/security/2019/02/13/doubling-bounties-for-vulnerabilities-discovered-before-release/).\n\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Availability of XML-RPC file without PoC demonstrating a significant security impact. As noted above, this excludes DDoS and brute force attacks.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* Self-XSS issues **within wp-admin** requiring users with `unfiltered_html` capability are not under the scope of this program. For example, script execution within `/wp-admin` as an administrator or editor on a single-site installation. Only the cases where a less-privileged user is able to execute XSS attacks on a higher-privileged user will be under the bug bounty scope.\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely.\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-23T17:33:04.217Z"},{"id":3636847,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Availability of XML-RPC file without PoC demonstrating a significant security impact. As noted above, this excludes DDoS and brute force attacks.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* Self-XSS issues **within wp-admin** requiring users with `unfiltered_html` capability are not under the scope of this program. For example, script execution within `/wp-admin` as an administrator or editor on a single-site installation. Only the cases where a less-privileged user is able to execute XSS attacks on a higher-privileged user will be under the bug bounty scope.\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely.\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-29T15:58:29.611Z"},{"id":3634824,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Availability of XML-RPC file without PoC demonstrating a significant security impact. As noted above, this excludes DDoS and brute force attacks.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely.\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-09T18:37:08.797Z"},{"id":3618545,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Vulnerabilities in Composer/NPM `devDependencies`, unless there's a practical way to exploit it remotely.\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-09T17:34:07.591Z"},{"id":3614303,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers.  WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.\n\nWe also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-19T01:08:23.988Z"},{"id":3614302,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).\n  * If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.\n  * ***Don't* script form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.\n * If you don't follow these guidelines **we will not award a bounty for the report.**\n* Be Patient - Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers. Because WordPress is distributed software rather than a SaaS, and because it has a large ecosystem of 3rd party integrations, our release process takes longer than others. That's necessary to allow us adequate time for various forms of peer-review and testing, to make sure that security fixes don't break millions of websites when they're installed automatically.\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-19T01:01:26.295Z"},{"id":3612732,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:\n\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Pen-testing Production:\n  * It's generally ok to test against live systems, _as long as you don't create/modify/delete any live data, or access private information_, beyond the minimum amount necessary to create a proof-of-concept.\n  * ***Don't* script form submissions!** Automated submissions to forums, contact forms, etc are very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels. If you do that, **we will not award a bounty for the report.** Instead, setup a local environment with our public source code (see above).\n* Be Patient - Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers. Because WordPress is distributed software rather than a SaaS, and because it has a large ecosystem of 3rd party integrations, our release process takes longer than others. That's necessary to allow us adequate time for various forms of peer-review and testing, to make sure that security fixes don't break millions of websites when they're installed automatically.\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-26T14:51:50.852Z"},{"id":3608299,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these simple guidelines:\n\n* Follow [HackerOne's general guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers. Because WordPress is distributed software rather than a SaaS, and because it has a large ecosystem of 3rd party integrations, our release process takes longer than others. That's necessary to allow us adequate time for various forms of peer-review and testing, to make sure that security fixes don't break millions of websites when they're installed automatically.\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-26T14:35:54.955Z"},{"id":3605613,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these simple guidelines:\n\n* Follow [HackerOne's general guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers. Because WordPress is distributed software rather than a SaaS, and because it has a large ecosystem of 3rd party integrations, our release process takes longer than others. That's necessary to allow us adequate time for various forms of peer-review and testing, to make sure that security fixes don't break millions of websites when they're installed automatically.\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-20T17:04:36.841Z"},{"id":3602131,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a non-trivial effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please let us know.\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these simple guidelines:\n\n* Follow [HackerOne's general guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers. Because WordPress is distributed software rather than a SaaS, and because it has a large ecosystem of 3rd party integrations, our release process takes longer than others. That's necessary to allow us adequate time for various forms of peer-review and testing, to make sure that security fixes don't break millions of websites when they're installed automatically.\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-05T17:23:14.053Z"},{"id":3598067,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a non-trivial effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please let us know.\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these simple guidelines:\n\n* Follow [HackerOne's general guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-13T21:22:06.953Z"},{"id":3598066,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these simple guidelines:\n\n* Follow [HackerOne's general guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a non-trivial effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-13T21:21:20.700Z"},{"id":3598065,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:\n\n* Provide details of the vulnerability, including step-by-step instructions needed to reproduce it, and a Proof of Concept.\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that has a non-trivial effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).\n* Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-13T21:19:02.937Z"},{"id":3598064,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:\n\n* Provide details of the vulnerability, including step-by-step instructions needed to reproduce it, and a Proof of Concept.\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Trac, forums, etc are intended to allow users to edit them.\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-13T21:11:12.214Z"},{"id":3597731,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:\n\n* Provide details of the vulnerability, including step-by-step instructions needed to reproduce it, and a Proof of Concept.\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks. Wikis, Trac, forums, etc are intended to allow users to edit them.\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-12T02:55:57.367Z"},{"id":3596318,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most critical targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:\n\n* Provide details of the vulnerability, including step-by-step instructions needed to reproduce it, and a Proof of Concept.\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-29T21:01:00.801Z"},{"id":3595483,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most popular targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/).\n* WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:\n\n* Provide details of the vulnerability, including step-by-step instructions needed to reproduce it, and a Proof of Concept.\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-22T19:38:18.479Z"},{"id":3595482,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most popular targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/GlotPress/) (but not website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nWe're committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:\n\n* Provide details of the vulnerability, including step-by-step instructions needed to reproduce it, and a Proof of Concept.\n* Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment  whenever possible.\n* Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-22T19:15:36.872Z"},{"id":3595481,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most popular targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/GlotPress/) (but not website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nSource code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including step-by-step instructions needed to reproduce it, and a Proof of Concept.\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-22T19:06:45.291Z"},{"id":3595478,"new_policy":"[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.\n\nOur most popular targets are:\n\n* WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).\n* Gutenberg [software](https://github.com/WordPress/gutenberg/).\n* BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).\n* bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).\n* GlotPress [software](https://github.com/GlotPress/) (but not website).\n* WordCamp.org [website](https://central.wordcamp.org).\n\nFor more targets, see the `In Scope` section below.\n\n*Please note that __WordPress.com is a separate entity__ from the main WordPress open source project. Please report vulnerabilities for WordPress.com or the WordPress mobile apps through [Automattic's HackerOne page](https://hackerone.com/automattic).*\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-22T18:56:28.717Z"},{"id":3567860,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and most *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities for WordPress.com or the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-30T20:04:53.968Z"},{"id":3567403,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and most *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities for WordPress.com or the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins not *specifically* listed as an in-scope asset: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-24T15:33:46.123Z"},{"id":3567402,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and most *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities for WordPress.com or the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins *not specifically listed in our assets*: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-24T15:32:38.167Z"},{"id":3563720,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and most *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities for WordPress.com or the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-11-20T14:06:02.012Z"},{"id":3563719,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and most *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities in for WordPress.com or the WordPress mobile apps through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-11-20T14:02:05.358Z"},{"id":3561822,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and most *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities in for WordPress.com through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Any non-severe vulnerability on `irclogs.wordpress.org`, `lists.wordpress.org`, or any other low impact site.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-18T14:58:19.697Z"},{"id":3561777,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities in for WordPress.com through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n* Clickjacking with minimal security implications\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-17T20:49:31.829Z"},{"id":3554669,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities in for WordPress.com through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-05-30T21:31:52.631Z"},{"id":3551861,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n\u003e **Please, report vulnerabilities in for WordPress.com through the [Automattic HackerOne page](/automattic).**\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-21T17:32:07.819Z"},{"id":3551647,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings for passive assets like images and videos\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T21:07:18.378Z"},{"id":3551646,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, text injection, or social engineering attacks.\n* Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T20:07:10.239Z"},{"id":3551637,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, or social engineering attacks.\n* Output from automated scans - please manually verify issues and include a valid proof of concept.\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T18:45:39.788Z"},{"id":3551631,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, or social engineering attacks.\n\nIf you think you found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T16:55:52.580Z"},{"id":3551630,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/. You can find source code at https://wordpress.org/download/source/. We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/), [WordPress.tv](https://wordpress.tv/), [Jobs.WordPress.net](http://jobs.wordpress.net), and all *.WordPress.org sites. You can obtain all of the source code by running `git clone git://meta.git.wordpress.org/` or by installing [the WordPress Meta Environment](https://github.com/WordPress/meta-environment).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, or social engineering attacks.\n\nIf you think your found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T16:50:57.737Z"},{"id":3551628,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/ We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Mixed content warnings\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, or social engineering attacks.\n\nIf you think your found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T16:37:13.417Z"},{"id":3551606,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/ We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, or social engineering attacks.\n\nIf you think your found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T13:00:16.069Z"},{"id":3551580,"new_policy":"WordPress.org is an open-source publishing platform: https://wordpress.org/ We also welcome reports for the open-source projects [BuddyPress](https://buddypress.org/), [bbPress](https://bbpress.org/), and [GlotPress](https://glotpress.org/) and for websites part of the [WordPress.org](https://wordpress.org/) infrastructure like [WordCamp.org](https://wordcamp.org/), [bbPress.org](https://bbpress.org/), or [BuddyPress.org](https://buddypress.org/).\n\n## Responsible Disclosure Guidelines\n\nThe WordPress security team is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following those simple guidelines:\n\n* Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)\n* Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider [installing WordPress](https://wordpress.org/download/) locally)\n* Give us a reasonable time to correct the issue before making any information public\n\n## Qualifying Vulnerabilities\n\nAny reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:\n\n* Cross Site Scripting (XSS)\n* Cross Site Request Forgery (CSRF)\n* Server Side Request Forgery (SSRF)\n* Remote Code Execution (RCE)\n* SQL Injection (SQLi)\n\nWe generally **aren’t** interested in the following problems:\n\n* Security vulnerabilities in WordPress plugins: here is [how to report them](https://developer.wordpress.org/plugins/wordpress-org/reporting-security-issues/)\n* Reports for hacked websites: here is [what you can do](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now)\n* [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)\n* [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)\n* [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)\n* WordPress version number disclosure\n* Lack of HTTP security headers (CSP, X-XSS, etc.)\n* Brute force, DDoS, phishing, or social engineering attacks.\n\nIf you think your found an exception, please, let us know.\n\n## Fine Print\n\nYou are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-18T02:29:09.484Z"}]