PluginProbe ʕ •ᴥ•ʔ
WP STAGING – WordPress Backup, Restore, Migration & Clone / 4.9.3
WP STAGING – WordPress Backup, Restore, Migration & Clone v4.9.3
4.9.3 4.9.2 4.9.1 4.9.0 4.8.1 trunk 3.0.0 3.0.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.1.0 3.1.1 3.1.2 3.1.3 3.1.4 3.10.0 3.2.0 3.3.1 3.3.2 3.3.3 3.4.1 3.4.3 3.5.0 3.6.0 3.7.1 3.8.0 3.8.1 3.8.2 3.8.3 3.8.4 3.8.5 3.8.6 3.8.7 3.9.0 3.9.1 3.9.2 3.9.3 3.9.4 4.0.0 4.1.0 4.1.1 4.1.2 4.1.3 4.1.4 4.2.0 4.2.1 4.3.0 4.3.1 4.3.2 4.4.0 4.5.0 4.6.0 4.7.0 4.7.1 4.7.2 4.7.3 4.8.0
wp-staging / SECURITY.md
wp-staging Last commit date
Backend 1 day ago Backup 1 week ago Basic 1 day ago Component 3 weeks ago Core 1 day ago Framework 1 day ago Frontend 6 months ago Notifications 9 months ago Staging 1 day ago assets 1 day ago languages 1 week ago resources 1 year ago vendor_wpstg 1 day ago views 1 day ago CONTRIBUTING.md 2 years ago Deactivate.php 9 months ago README.md 4 months ago SECURITY.md 1 day ago autoloader.php 2 months ago bootstrap.php 1 day ago commonBootstrap.php 2 weeks ago constantsFree.php 1 day ago freeBootstrap.php 1 week ago install.php 3 weeks ago opcacheBootstrap.php 1 day ago readme.txt 1 day ago runtimeRequirements.php 3 months ago uninstall.php 1 day ago wp-staging-error-handler.php 7 months ago wp-staging.php 1 day ago
SECURITY.md
120 lines
1 ## Reporting a Vulnerability
2
3 WP STAGING, as one of the leading backup and staging plugins in the WordPress
4 ecosystem, takes security very seriously. No software project can cover every
5 security aspect completely, so we encourage our users and the security
6 community to report security findings directly to us. This document explains
7 how to submit a report, which guidelines apply, and how we evaluate and reward
8 contributions.
9
10 You can find the latest version of this policy at
11 [](https://wp-staging.com/submit-a-security-report-for-wp-staging/https://wp-staging.com/submit-a-security-report-for-wp-staging/](https://wp-staging.com/submit-a-security-report-for-wp-staging/](https://wp-staging.com/submit-a-security-report-for-wp-staging/)
12
13 ## Recognition & Rewards
14
15 We offer monetary rewards for eligible vulnerability reports through our bug
16 bounty program. Each report is evaluated individually based on its technical
17 severity, exploitability, attack prerequisites, affected configurations,
18 report quality, completeness of the submission, and overall security impact.
19
20 While CVSS is an important input to our evaluation, it is not the sole
21 determining factor. Final severity classifications and reward decisions are
22 made solely at the discretion of WP STAGING.
23
24 ## How we assess severity
25
26 Severity is primarily assessed using the
27 [](https://www.first.org/cvss/calculator/3.0Common Vulnerability Scoring System (CVSS)](https://www.first.org/cvss/calculator/3.0](https://www.first.org/cvss/calculator/3.0),
28 together with our own review of exploitability, attack prerequisites, affected
29 configurations, real-world impact, and other relevant technical factors. CVSS
30 gives us a common language for classifying vulnerabilities, but it serves as
31 guidance rather than as an automatic scoring formula.
32
33 Every vulnerability is unique. Two reports with similar CVSS scores may
34 receive different severity classifications or rewards depending on
35 exploitability, affected environments, report quality, and overall security
36 impact. Our internal review process, including the exact scoring and weighting
37 we apply, is not disclosed.
38
39 ## Scope of this program
40
41 This reward program covers the latest release of our plugins:
42
43 - The free WP STAGING plugin
44 - WP Staging Pro
45
46 Other products and services related to WP STAGING, including the website and
47 the customer portal, are not part of this program. If you discover a
48 significant security issue in these areas anyway, we still want to hear about
49 it.
50
51 ## Issues that are out of scope
52
53 - Disclosure of the WP STAGING version number.
54 - CSV (Comma Separated Values) injection without demonstrating a vulnerability.
55 - Missing best practices in the SSL/TLS configuration.
56 - Content spoofing and text injection issues without an attack vector, or
57 without the ability to modify HTML or CSS.
58 - Theoretical vulnerabilities without a proof of concept that demonstrates a
59 significant security impact.
60 - The fact that users with administrator or editor privileges can post
61 arbitrary JavaScript.
62 - Raw output from automated scanners. Please verify issues manually and
63 include a working proof of concept.
64 - Deviations from security best practices without a working proof of concept.
65
66 ## How to get a copy of our plugins for testing
67
68 You can download the free WP STAGING plugin from wordpress.org at
69 [](https://wordpress.org/plugins/wp-staging/https://wordpress.org/plugins/wp-staging/](https://wordpress.org/plugins/wp-staging/](https://wordpress.org/plugins/wp-staging/).
70 If you would like to test WP Staging Pro, contact us at
71 support [at] wp-staging.com and briefly describe what you plan to test.
72
73 ## Conditions and rules
74
75 - Write detailed reports and include step-by-step instructions that we can
76 follow to reproduce the issue. Reports that cannot be reproduced from the
77 information provided do not qualify for a reward.
78 - Focus each report on a single vulnerability, unless demonstrating the impact
79 requires chaining several vulnerabilities.
80 - For duplicate submissions, only the first reproducible report we receive is
81 eligible for a reward. Issues that are already known to us are treated the
82 same way.
83 - If multiple vulnerabilities stem from the same root cause, we may treat them
84 as a single issue for reward purposes.
85 - When your testing could affect systems, services, or data you do not own,
86 protect privacy, data integrity, and service availability at all times. Only
87 interact with accounts you own or accounts whose holders have given you
88 explicit consent.
89
90 ## Responsible disclosure
91
92 Please keep your findings confidential. Do not publish or discuss a
93 vulnerability, even a resolved one, until a fix is available to our users and
94 we have agreed on disclosure with you. Coordinated disclosure protects the
95 many websites that rely on WP STAGING while we work on a fix.
96
97 ## Submit your report
98
99 If you have identified a security issue that matches the guidelines and scope
100 of this program, send your findings to support [at] wp-staging.com and include
101 the following:
102
103 - The affected plugin and the version(s) you tested.
104 - Your own CVSS assessment with brief reasoning, using the
105 [](https://www.first.org/cvss/calculator/3.0CVSS calculator](https://www.first.org/cvss/calculator/3.0](https://www.first.org/cvss/calculator/3.0). Including your
106 calculation helps us evaluate your report more efficiently, but it does not
107 automatically determine the final severity classification or reward.
108 - An explanation of the potential impact of the issue.
109 - A step-by-step walkthrough to reproduce the issue, with a proof of concept
110 where appropriate.
111 - The email address associated with your WP STAGING account.
112
113 ## After your report
114
115 We aim to acknowledge new reports within a few business days and to review
116 every submission promptly. We will keep you informed while we validate the
117 issue, work on a fix, and decide on a reward. Response times may vary
118 depending on the complexity of the issue, and reward decisions are made once
119 the full impact and the fix are clear.
120