WP Engine

  • Points per vulnerability
  • Managed by Bugcrowd

Program stats

40 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

WP Engine invites you to test the WP Engine Digital Platform. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to ecommerce extensions. Good luck and happy hunting!


Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Targets

In scope

Target name Type
wpengine.com Website
my.wpengine.com Website
*.wpengine.io Website
*.wpesvc.net Website
*.studiopress.com Website
spressforumstg.wpengine.com Website
studiopress.blog Website

Out of scope

Target name Type
wpengine.com/contact/ Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of WP Engine not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Info:

  • wpengine.com is the landing page for all WP Engine services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.

  • my.wpengine.com controls authentication for WP Engine. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

  • *.wpengine.io & *.wpesvc.net are apex domains - used for micro services hosted as subdomains and service-to-service APIs - these are not meant to be consumed by the public but run on public DNS. To aid in testing, we've provided some initial OSINT for these domains: https://crt.sh/?q=%25wpengine.io & https://crt.sh/?q=%25wpesvc.net

  • *.studiopress.com, in particular studiopress.com, www.studiopress.com, and my.studiopress.com are public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

  • studiopress.blog is a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.

  • spressforumstg.wpengine.com the staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their @bugcrowdninja.com email address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.

Researchers are welcome to test functionality behind the paywall, if they wish (that falls within the scope of this bounty). However, no reimbursements will be made for money spent to access this part of the application.


Out-of-Scope:

  • Denial of Service / Distributed Denial of Service attacks
  • Support, contact forms and chats are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.

Program rules

This program follows Bugcrowd’s standard disclosure terms.