Vulnerability Disclosure Policy

This document is used to communicate how WPVULNDB (wpvulndb.com) discloses vulnerabilities within WordPress Core, its plugins and themes which we may become aware of from various sources.

This is not a legal document. It is a guideline for the WPScan Team members to adhere to and to make security researchers, software authors and the public aware of how we manage vulnerability disclosure.

This policy generally relates to WordPress plugin and theme vulnerabilities, WordPress Core vulnerabilities may be treated differently.

1. Publicly Disclosed

If the vulnerability information is already public, either on Twitter, on a public website, mailing list or anywhere else which may be deemed as public we will take the following actions.

1.1. Unpatched Vulnerability

If the public vulnerability information is deemed to be relating to an unpatched vulnerability we will attempt to contact the software author to make them aware of the already public information.

We may or may not verify if the vulnerability is a False Positive or not. This will depend on our workload and the ease of the vulnerability being verified.

If the software author's contact details are not easily obtainable we may not be able to contact the software author. In this case we will use the plugin’s WordPress support page to attempt to contact the author. We may also contact WordPress directly. Whether the software author replies to our communications or not, we will publish the vulnerability information in full within 24 hours of being made aware of it.

We believe once the vulnerability information is public and unpatched, we can safely assume that threat actors may also be in possession of this information. At this point we believe that sharing this information as widely as possible will most benefit the users of the software as this will allow them to take mitigating actions and will also apply pressure to the software author to patch the vulnerability as soon as possible.

1.2. Patched Vulnerability

If the public vulnerability information is deemed to be relating to a patched vulnerability we will publish the information as soon as possible.

2. Privately Disclosed

If the vulnerability information is sent to us directly via private communications such as email or the wpvulndb.com submission system.

2.1. Unpatched Vulnerability

We will attempt to contact the software author to inform them of the vulnerability which has been reported to us.

We may or may not verify if the vulnerability is a False Positive or not. This will depend on our workload and the ease of the vulnerability being verified.

If the software author's contact details are not easily obtainable we may not be able to contact the software author. Whether the software author replies to our communications or not, we will publish the vulnerability information in full within 24 hours of being made aware of it, unless the author requests more time.

If we are not able to contact the software author we may contact WordPress via their security at wordpress.com, plugins at wordpress.org or themes at wordpress.org contact email addresses to inform them of the unpatched vulnerability and allow them to take whatever action they deem necessary.

2.2. Patched Vulnerability

If the private vulnerability information is deemed to be relating to a patched vulnerability we will publish the information as soon as possible.

3. Automated Software Author Communications

We have an automated system which plugin and theme authors can sign up to which will email them if a vulnerability has been entered into our queuing system which relates to one of their plugins or themes.

This system is not open to public registration and to be enrolled plugin and theme authors must contact us directly.

This system may not be foolproof, emails may sometimes not be sent due to software bugs and the system may be susceptible to human error. This is currently a free service.