wp-staging
Last commit date
Backend
1 day ago
Backup
1 week ago
Basic
1 day ago
Component
3 weeks ago
Core
1 day ago
Framework
1 day ago
Frontend
6 months ago
Notifications
9 months ago
Staging
1 day ago
assets
1 day ago
languages
1 week ago
resources
1 year ago
vendor_wpstg
1 day ago
views
1 day ago
CONTRIBUTING.md
2 years ago
Deactivate.php
9 months ago
README.md
4 months ago
SECURITY.md
1 day ago
autoloader.php
2 months ago
bootstrap.php
1 day ago
commonBootstrap.php
2 weeks ago
constantsFree.php
1 day ago
freeBootstrap.php
1 week ago
install.php
3 weeks ago
opcacheBootstrap.php
1 day ago
readme.txt
1 day ago
runtimeRequirements.php
3 months ago
uninstall.php
1 day ago
wp-staging-error-handler.php
7 months ago
wp-staging.php
1 day ago
SECURITY.md
120 lines
| 1 | ## Reporting a Vulnerability |
| 2 | |
| 3 | WP STAGING, as one of the leading backup and staging plugins in the WordPress |
| 4 | ecosystem, takes security very seriously. No software project can cover every |
| 5 | security aspect completely, so we encourage our users and the security |
| 6 | community to report security findings directly to us. This document explains |
| 7 | how to submit a report, which guidelines apply, and how we evaluate and reward |
| 8 | contributions. |
| 9 | |
| 10 | You can find the latest version of this policy at |
| 11 | [](https://wp-staging.com/submit-a-security-report-for-wp-staging/https://wp-staging.com/submit-a-security-report-for-wp-staging/](https://wp-staging.com/submit-a-security-report-for-wp-staging/](https://wp-staging.com/submit-a-security-report-for-wp-staging/) |
| 12 | |
| 13 | ## Recognition & Rewards |
| 14 | |
| 15 | We offer monetary rewards for eligible vulnerability reports through our bug |
| 16 | bounty program. Each report is evaluated individually based on its technical |
| 17 | severity, exploitability, attack prerequisites, affected configurations, |
| 18 | report quality, completeness of the submission, and overall security impact. |
| 19 | |
| 20 | While CVSS is an important input to our evaluation, it is not the sole |
| 21 | determining factor. Final severity classifications and reward decisions are |
| 22 | made solely at the discretion of WP STAGING. |
| 23 | |
| 24 | ## How we assess severity |
| 25 | |
| 26 | Severity is primarily assessed using the |
| 27 | [](https://www.first.org/cvss/calculator/3.0Common Vulnerability Scoring System (CVSS)](https://www.first.org/cvss/calculator/3.0](https://www.first.org/cvss/calculator/3.0), |
| 28 | together with our own review of exploitability, attack prerequisites, affected |
| 29 | configurations, real-world impact, and other relevant technical factors. CVSS |
| 30 | gives us a common language for classifying vulnerabilities, but it serves as |
| 31 | guidance rather than as an automatic scoring formula. |
| 32 | |
| 33 | Every vulnerability is unique. Two reports with similar CVSS scores may |
| 34 | receive different severity classifications or rewards depending on |
| 35 | exploitability, affected environments, report quality, and overall security |
| 36 | impact. Our internal review process, including the exact scoring and weighting |
| 37 | we apply, is not disclosed. |
| 38 | |
| 39 | ## Scope of this program |
| 40 | |
| 41 | This reward program covers the latest release of our plugins: |
| 42 | |
| 43 | - The free WP STAGING plugin |
| 44 | - WP Staging Pro |
| 45 | |
| 46 | Other products and services related to WP STAGING, including the website and |
| 47 | the customer portal, are not part of this program. If you discover a |
| 48 | significant security issue in these areas anyway, we still want to hear about |
| 49 | it. |
| 50 | |
| 51 | ## Issues that are out of scope |
| 52 | |
| 53 | - Disclosure of the WP STAGING version number. |
| 54 | - CSV (Comma Separated Values) injection without demonstrating a vulnerability. |
| 55 | - Missing best practices in the SSL/TLS configuration. |
| 56 | - Content spoofing and text injection issues without an attack vector, or |
| 57 | without the ability to modify HTML or CSS. |
| 58 | - Theoretical vulnerabilities without a proof of concept that demonstrates a |
| 59 | significant security impact. |
| 60 | - The fact that users with administrator or editor privileges can post |
| 61 | arbitrary JavaScript. |
| 62 | - Raw output from automated scanners. Please verify issues manually and |
| 63 | include a working proof of concept. |
| 64 | - Deviations from security best practices without a working proof of concept. |
| 65 | |
| 66 | ## How to get a copy of our plugins for testing |
| 67 | |
| 68 | You can download the free WP STAGING plugin from wordpress.org at |
| 69 | [](https://wordpress.org/plugins/wp-staging/https://wordpress.org/plugins/wp-staging/](https://wordpress.org/plugins/wp-staging/](https://wordpress.org/plugins/wp-staging/). |
| 70 | If you would like to test WP Staging Pro, contact us at |
| 71 | support [at] wp-staging.com and briefly describe what you plan to test. |
| 72 | |
| 73 | ## Conditions and rules |
| 74 | |
| 75 | - Write detailed reports and include step-by-step instructions that we can |
| 76 | follow to reproduce the issue. Reports that cannot be reproduced from the |
| 77 | information provided do not qualify for a reward. |
| 78 | - Focus each report on a single vulnerability, unless demonstrating the impact |
| 79 | requires chaining several vulnerabilities. |
| 80 | - For duplicate submissions, only the first reproducible report we receive is |
| 81 | eligible for a reward. Issues that are already known to us are treated the |
| 82 | same way. |
| 83 | - If multiple vulnerabilities stem from the same root cause, we may treat them |
| 84 | as a single issue for reward purposes. |
| 85 | - When your testing could affect systems, services, or data you do not own, |
| 86 | protect privacy, data integrity, and service availability at all times. Only |
| 87 | interact with accounts you own or accounts whose holders have given you |
| 88 | explicit consent. |
| 89 | |
| 90 | ## Responsible disclosure |
| 91 | |
| 92 | Please keep your findings confidential. Do not publish or discuss a |
| 93 | vulnerability, even a resolved one, until a fix is available to our users and |
| 94 | we have agreed on disclosure with you. Coordinated disclosure protects the |
| 95 | many websites that rely on WP STAGING while we work on a fix. |
| 96 | |
| 97 | ## Submit your report |
| 98 | |
| 99 | If you have identified a security issue that matches the guidelines and scope |
| 100 | of this program, send your findings to support [at] wp-staging.com and include |
| 101 | the following: |
| 102 | |
| 103 | - The affected plugin and the version(s) you tested. |
| 104 | - Your own CVSS assessment with brief reasoning, using the |
| 105 | [](https://www.first.org/cvss/calculator/3.0CVSS calculator](https://www.first.org/cvss/calculator/3.0](https://www.first.org/cvss/calculator/3.0). Including your |
| 106 | calculation helps us evaluate your report more efficiently, but it does not |
| 107 | automatically determine the final severity classification or reward. |
| 108 | - An explanation of the potential impact of the issue. |
| 109 | - A step-by-step walkthrough to reproduce the issue, with a proof of concept |
| 110 | where appropriate. |
| 111 | - The email address associated with your WP STAGING account. |
| 112 | |
| 113 | ## After your report |
| 114 | |
| 115 | We aim to acknowledge new reports within a few business days and to review |
| 116 | every submission promptly. We will keep you informed while we validate the |
| 117 | issue, work on a fix, and decide on a reward. Response times may vary |
| 118 | depending on the complexity of the issue, and reward decisions are made once |
| 119 | the full impact and the fix are clear. |
| 120 |