Instruction: **Do _not_ pentest Trac instances**, it's very annoying to clean up after. Setup a local environment instead; the custom source code is available via the Git command below, in the `trac.wordpress.org` subfolder. **If you ignore this you'll forfeit any bounty.**
Only report vulnerabilities in our custom code, don't report vulnerabilities that only exist upstream in Trac itself. Report those directly to info@edgewall.com.
All source code that isn't behind authentication is intended to be public. The source code itself has `High` CVSS impact scores. The applications that manage the code (Trac, Git, SVN, etc) have `Low` scores, except for vulnerabilities that allow modifications to the source code.
Most of the source code in these domains is contained in the "meta" repository: `git clone git://meta.git.wordpress.org/`
Integrity requirements: high
Max severity: critical
Asset identifier: *.wordcamp.org
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: medium
Max severity: critical
Asset identifier: *.wordpress.net
Asset type: URL
Availability requirement: none
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: All WordPress.net domains, including (but not limited to) jobs.wordpress.net.
This is a shared-hosting environment, and these are generally low-value targets, so we're usually only interested in high- and medium- severity issues that affect the entire server (not just an individual site).
Integrity requirements: low
Max severity: low
Asset identifier: *.wordpress.org
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: All wordpress.org domains that **are not listed in other assets**, including (but not limited to) the following:
* login.wordpress.org
* developer.wordpress.org
* make.wordpress.org
* translate.wordpress.org
* global.wordpress.org, {locale}.wordpress.org (e.g., de.wordpress.org, es-mx.wordpress.org)
* learn.wordpress.org
Instruction: All code located under [the GlotPress organization](https://github.com/GlotPress/) on GitHub.
The most important target is the `glotpress-wp` repository. Other repositories are in scope, but may have a lower importance.
Integrity requirements: high
Max severity: critical
Asset identifier: Gutenberg
Asset type: SOURCE_CODE
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Download source code from https://github.com/WordPress/gutenberg
Integrity requirements: high
Max severity: critical
Asset identifier: Official WordPress plugins
Asset type: SOURCE_CODE
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Any plugin listed on the WordPress.org profile for [the "wordpressdotorg" account](https://profiles.wordpress.org/wordpressdotorg#content-plugins).
To find the source code for any of them, clicking on the name will take you to the plugin's page within the WordPress.org plugin directory. Once there, click on the `Download` button for a `.zip` file of the latest release, or click on the `Development` tab for links to the code browser and Subversion repository.
Integrity requirements: high
Max severity: critical
Asset identifier: WP-CLI
Asset type: SOURCE_CODE
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: All code located under [the WP-CLI organization](https://github.com/wp-cli) on GitHub.
The most important targets are the main `wp-cli` repository, and any repositories for commands that are bundled with the distributed `wp-cli` source code, like `cache-command`, `scaffold-command`, etc.
Other repositories are in scope, but may have a lower importance.
Instruction: These are wikis, they're intended to be freely edited by anonymous users. We are not interested in vulnerabilities unless they have a severe impact.
Integrity requirements: low
Max severity: medium
Asset identifier: doaction.org
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: high
Max severity: critical
Asset identifier: gutenberg.run
Asset type: URL
Availability requirement: low
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: Each subdomain of this site provides temporary live preview sites for Gutenberg pull requests. Only critical vulnerabilities should be submitted, because the impact of low/medium vulnerabilities is barely noticable.
More info: https://github.com/WordPress/gutenberg.run
Integrity requirements: none
Max severity: low
Asset identifier: irclogs.wordpress.org
Asset type: URL
Availability requirement: none
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: These are public logs of very old conversations. We are not interested in vulnerabilities unless they have a severe impact (e.g., RCE, XSS, modifying the logs, etc). DoS is not severe in this case.
Integrity requirements: low
Max severity: low
Asset identifier: lists.wordpress.org
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: We are not interested in vulnerabilities unless they have a severe impact.
Integrity requirements: low
Max severity: medium
Asset identifier: mercantile.wordpress.org
Asset type: URL
Availability requirement: none
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: This site runs uses [the WooCommerce plugin](https://woocommerce.com/), but we don't accept reports for that. We only accept reports for our custom code. If you find any vulnerabilities that are also present in WooCommerce itself, please [report them to Automattic](/automattic).
Please don't submit test orders (especially automated ones). They don't test any of our custom code, and are a pain to clean up.
Additionally, price manipulation is a common invalid report, please see #682344.
Integrity requirements: low
Max severity: medium
Asset identifier: munin-*.wordpress.org
Asset type: URL
Availability requirement: none
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: We are not interested in vulnerabilities unless they have a severe impact (e.g., RCE, SSRF). Metrics data is intentionally made public.
