Submit a security report for our plugin(s)

As one of the largest plugins in the WordPress ecosystem, we have an obligation to make and keep our products as safe as possible. Creativity is key with security, and we admit we can’t possibly cover all our bases. That’s why we ask our users and the security community to submit any findings regarding security directly to us. This article describes how to submit your report, our guidelines and the rewards.

The rewards

To start this off, let’s see what we offer for any security reports:

SeverityReward
Critical$2,000
High$1,000
Medium$300
Low$150
Informative

The severity is based on the CVSS (Common Vulnerability Scoring System). When submitting your security report, make sure to include a calculation of the CVSS. The reward table provides general guidelines, and all final decisions are at the discretion of Yoast.

The premises / scope of this program

The scope of this program is (the latest version of) our plugins. Specifically:

  • Yoast SEO Free
  • Duplicate Post (free)
  • Yoast SEO Premium (paid)
  • Local SEO (paid)
  • WooCommerce SEO (paid)
  • Video SEO (paid)
  • News SEO (paid)
  • Yoast SEO for Shopify (paid, with trial)
  • Yoast ACF Analysis (free)
  • Custom Field Finder (free)
  • WHIP (free)
  • Test Helper (free)

All other Yoast-related products and services are not included in the scope of this program. This includes the Yoast website and customer portal. Although if you find a severe security flaw there, please do notify us.

Issues with WordPress / Yoast plugins that are out of scope:

  • Yoast SEO version number disclosure.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Theoretical vulnerabilities where you can’t demonstrate a significant security impact with a Proof of Concept.
  • Users with administrator or editor privileges can post arbitrary JavaScript.
  • Output from automated scans – please manually verify issues and include a valid Proof of Concept.
  • Not following security best practices – without a working Proof of Concept.

How to…

Obtain a copy of our plugins for testing

Our free plugin is obtainable via wordpress.org at https://wordpress.org/plugins/wordpress-seo/

If you want one of our paid plugins for security testing, please contact us at security@yoast.com, providing a plan what you are going to do.

The rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • For duplicates, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will only be eligible for one reward.
  • When testing has an overlap with systems or services not owned by you, the tester, make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of that service. Only interact with accounts you own or with the explicit permission of the account holder.

Disclosure Policy

Please do not discuss any vulnerabilities (even resolved ones) without express consent.

Submit your report

When you’ve found a security issue that abides by the rules and scope of this project, please submit the report to us via security@yoast.com. In your mail, make sure to include:

  • The calculation of the CVSS (using the calculator)
  • The impact of the issue
  • A detailed guide on how to reproduce the issue
  • Provide the email address you used to create a MyYoast-account

After your submission

We will make a best effort to meet the following response targets for security reports:

  • Time to first response (from report submit) – 3 business days
  • Time to triage (from report submit) – 10 business days
  • Time to bounty (from triage) – 10 business days

We’ll keep you informed about our progress throughout the process.