-
Notifications
You must be signed in to change notification settings - Fork 216
Reporting a security issue
This document details the proper protocol to report a security issue.
Nothing can explain it better than the WordPress Codex itself. We'd like to quote it verbatim:
A security issue (or security vulnerability) is a type of bug that affects the security of WordPress installations.
If you've found a bug in the WordPress core code that you have determined can be used to gain some level of access to a site running WordPress that you should not have, then that is a security issue.
Before you report a security issue, please bear in mind the following:
- Your blog being "hacked" is not a security issue. A security issue will involve knowing how the attacker got in and hacked your site. If you have details on the attack vector, then email us. If not, report the issue on the Support Forums.
- Forgetting your password or losing access to your site is not a security issue. You should try resetting your password or contacting your site administrator or host for help.
- Generally, security issues are complex problems. If you want to report a security issue, then that's great! You're in the right place. However, be sure that what you're reporting is actually a security issue so you don't waste your own time or that of the experts you report it to.
- The security mailing addresses are NOT for support. Don't send general problems to them. Your message will not be replied to. Use the Support Forums instead.
Before reporting a security issue, please make sure you've read the section above and determined that what you have is a valid security issue.
Once you're certain about the nature of the issue, please send as much details as possible to support@instinct.co.nz and make sure the subject of the email contains [security] as the prefix, otherwise it might take longer to get a response.
In all cases, you should never publish details of a security vulnerability, even if it's on our GitHub issue tracker, or our support forums. That would do much more harm than good as it gives malicious hackers time to exploit the issue before we're able to do anything about it.