WP Engine invites you to test the WP Engine Digital Platform. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to ecommerce extensions. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of WP Engine not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to WP Engine org, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for points-based compensation.
wpengine.comis the landing page for all WP Engine services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the
Sales Questionsfunctionality and
wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.
my.wpengine.comcontrols authentication for WP Engine. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.
*.wpesvc.netare apex domains - used for micro services hosted as subdomains and service-to-service APIs - these are not meant to be consumed by the public but run on public DNS. To aid in testing, we've provided some initial OSINT for these domains:
*.studiopress.com, in particular
my.studiopress.comare public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.
studiopress.blogis a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.
spressforumstg.wpengine.comthe staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their
@bugcrowdninja.comemail address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.
Researchers are welcome to test functionality behind the paywall, if they wish (that falls within the scope of this bounty). However, no reimbursements will be made for money spent to access this part of the application.
- Email spoofing through missing or misconfigured DKIM, DMARC, or SPF records.
- Information disclosure or DoS through native WordPress functionality, including wp-json, xmlrpc, oembed, or other REST API endpoints.
- Denial of Service / Distributed Denial of Service testing
- Brute-force or load testing
- Contacting the WP Engine support or sales teams through any means, including Phone/Email/Chat. If technical support is needed, utilize our online documentation at https://wpengine.com/support/, or contact Bugcrowd support
- Testing of sites hosted on *.wpengine.com, except where explicitly permitted as “In Scope”
- Testing of third-party services used by WP Engine, except where explicitly permitted as “In Scope”
- Use of automated vulnerability scanners against any services