WPScan Vulnerability Disclosure Policy

Last updated: November 23rd, 2020.

Disclosure Policy

This document outlines how we process vulnerabilities affecting WordPress core, its plugins or themes, either submitted directly to us by a security researcher, or, already publicly disclosed on the Internet, or found by the WPScan team themselves. In this document all timelines assume working days, Monday to Friday. All security vulnerabilities are manually entered into our database and where possible, manually verified.

Undisclosed Vulnerabilities

Security vulnerabilities that are not publicly known, or are very limited in their exposure;

  • We will go through the effort of trying to make the vendor aware of the vulnerability, if it is clear that the vendor has not already been informed.
  • We will give the vendor at least 48 hours to reply to our initial contact before disclosing the vulnerability. If the vendor responds, the vendor can request more time before we publicly disclose the vulnerability.
  • If the vendor does not reply within 48 hours, we will escalate the vulnerability to the market place owners, such as the WordPress plugins team at [email protected] Depending on the severity of the vulnerability, we may wait until the WordPress plugins team have taken action, or, disclose the vulnerability immediately after contacting them.

Disclosed Vulnerabilities

Security vulnerabilities that are already publicly known, such as disclosed in a blog post, on a social media platform, a third-party vulnerability database, or being actively exploited;

  • If the vulnerability has already been patched, we will disclose the vulnerability immidiatelty and make no effort to contact the vendor or WordPress.
  • If the vulnerability has not been patched, we will go through the effort of trying to make the vendor aware of the vulnerability, if it is clear that the vendor has not already been informed.
  • If the vulnerability has not been patched, we will escalate the vulnerability to the market place owners, such as the WordPress plugins team at [email protected], and disclose the vulnerability immediately after contacting them.