Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
woocommerce/SECURITY.md

39 lines
2.6 KiB
Markdown
Raw Normal View History

Added security policy
2020-10-02 07:28:32 +00:00
# Security Policy
Full details of the Automattic Security Policy can be found on [automattic.com/security](https://automattic.com/security/).
## Supported Versions
Generally, *only the latest version of WooCommerce has continued support*. If a critical vulnerability is found in the current version of WooCommerce, we may opt to backport any patches to previous versions.
## Reporting a Vulnerability
[WooCommerce](https://wordpress.org/plugins/woocommerce) is an open-source plugin for WordPress. Our HackerOne program covers the plugin software, as well as a variety of related projects and infrastructure.
Linked the main messaging to automattic property.
2020-10-02 07:53:42 +00:00
**For responsible disclosure of security issues and to be eligible for our bug bounty program, please submit your report based on instructions found on [automattic.com/security](https://automattic.com/security).**
Added security policy
2020-10-02 07:28:32 +00:00
Our most critical targets are:
* WooCommerce core (this repository)
* WooCommerce [Blocks](https://wordpress.org/plugins/woo-gutenberg-products-block/) and [Admin](https://wordpress.org/plugins/woocommerce-admin/) packages and plugins
Update Woo.com references to WooCommerce.com (#46259) * replace capitalized Woo.com with WooCommerce.com * replace http URLs * replace https URLs * replace developer.woo.com * add missing version in `@since` tag * unslash the HTTP_REFERER * WordPress.Security.ValidatedSanitizedInput.InputNotSanitized * add changelog file * add more changelog files * address linter errors * address more linter errors * fix test * more linter errors
2024-04-09 08:50:15 +00:00
* WooCommerce.com -- the primary marketplace and marketing site, and all of it subdomains, e.g. [developer.woo.com](https://developer.woocommerce.com/)
capitalize Woo.com (and WordPress.com) when used in a sentence
2023-11-10 14:36:38 +00:00
* WordPress.com -- hosted WooCommerce for Business and eCommerce offering on WordPress.com.
Added security policy
2020-10-02 07:28:32 +00:00
For more targets, see the `In Scope` section on [HackerOne](https://hackerone.com/automattic).
appease the linter
2023-11-06 22:43:45 +00:00
Please note that the **WordPress software is a separate entity** from Automattic. Please report vulnerabilities for WordPress through [the WordPress Foundation's HackerOne page](https://hackerone.com/wordpress).
Added security policy
2020-10-02 07:28:32 +00:00
## Guidelines
We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:
* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).
* Pen-testing Production:
* Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).
* If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.
appease the linter
2023-11-06 22:43:45 +00:00
* **Don't automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
Added security policy
2020-10-02 07:28:32 +00:00
* To be eligible for a bounty, please follow all of these guidelines.
* Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability.
We also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.