As one of the leading plugin developers in the WordPress community, we take security very seriously. However, we recognize that there may be vulnerabilities that we have not yet discovered. That is why we encourage our users and the security community to submit any security issues they find directly to us. This article outlines our reporting process, guidelines, and rewards.
Rewards
We offer rewards based on the severity of the vulnerability, as determined by the Common Vulnerability Scoring System (CVSS). The table below outlines our general guidelines for rewards, but we reserve the right to make final decisions on rewards.
- Severity Reward Critical $1,000
- High $750
- Medium $300
- Low $100
- Informative –
Scope of the Program
Our security reporting program covers the latest versions of the following plugins:
- WP Staging free
- WP Staging Pro (paid)
Please note that this program does not cover any other WP Staging-related products or services, including the WP Staging website and customer portal. However, if you do discover a severe security flaw on these platforms, please notify us.
Issues that are not within the scope of this program include
- WP Staging version number disclosure,
- CSV injection without demonstrating a vulnerability,
- missing best practices in SSL/TLS configuration,
- content spoofing and text injection issues without showing an attack vector,
- theoretical vulnerabilities that do not demonstrate significant security impact with a Proof of Concept, and issues related to administrator or editor privileges that allow arbitrary JavaScript to be posted.
How to Submit a Report
To obtain a copy of our free plugin for testing, you can download it from WordPress.org at https://wordpress.org/plugins/wp-staging/. If you need one of our paid plugins for testing, please contact us at support@wp-staging.com with your testing plan.
When submitting a report, please provide detailed information about the vulnerability, including reproducible steps. Please submit one vulnerability per report unless you need to chain vulnerabilities to demonstrate impact. If we receive duplicate reports, we will award the first one that we receive and can fully reproduce. Multiple vulnerabilities caused by one underlying issue will only be eligible for one reward.
If your testing overlaps with systems or services that you do not own, please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of those services. Only interact with accounts that you own or with the explicit permission of the account holder.
Disclosure Policy
Please do not discuss any vulnerabilities, even resolved ones, without our express consent.
Submitting Your Report
When you have found a security issue that falls within the scope of our program and meets our guidelines, please submit your report to support@wp-staging.com. In your email, please include the following:
- The calculation of the CVSS using the calculator
- The impact of the issue
- A detailed guide on how to reproduce the issue
- The email address you used to create a WP Staging account
After Submission
We will make every effort to respond to your report promptly, with a goal of responding within three business days of submission. After triaging your report, we aim to provide a resolution within 10 business days. Once a resolution has been reached, we will aim to award any applicable rewards within an additional 10 business days.
We will keep you informed about our progress throughout the process. Thank you for helping us keep our plugins and the WordPress community safe!