At RexTheme, we’re dedicated to ensuring the security of our WordPress plugins. While we strive for perfection, we recognize that every software has its nuances. Your expertise can be instrumental in fortifying our products.
We understand that software, including ours, may have undiscovered security issues. Identifying and addressing these issues is a collective effort. Whether you’re an experienced security researcher or just starting, we welcome everyone to contribute to our Bug Bounty Program. Your insights, big or small, help us create a safer experience for our users.
Please join us in making our plugins more secure. Your contributions matter, and together, we can stay ahead of potential threats.
How We Approach Security Issues
- Once a vulnerability report is received, our team will promptly investigate the issue.
- Vulnerability reports will always be responded to as fast as possible—usually within 24 hours.
- We will develop a fix for the vulnerability and release an update as soon as possible.
- Security researchers will be credited for their findings unless they prefer to remain anonymous.
- If you’d like, you’ll be listed in our Security Research Hall Of Fame!
Scope of this program
The scope of this program is (the latest version of) our plugins.
- WooCommerce Product Feed Manager
- WP VR
- Cart Lift
- Dynamic Discount for WooCommerce
- Product Recommendations for WooCommerce
- Checkoutify Checkout field manager for WooCommerce
Rules
- While searching for vulnerabilities, please ensure the availability, confidentiality, and integrity of our data and processes are not compromised. Refrain from executing phishing, DDoS, or brute force tests, and avoid changing any data.
- Vulnerability reports must include manual validation. Reports based solely on automated tools, scanners, or theoretical attack vectors without proof of exploitability will be automatically closed.
- Provide detailed reports with reproducible steps. If the report lacks sufficient detail to reproduce the issue, it will not be eligible for a reward.
- Collect only the information necessary to demonstrate the vulnerability.
- For duplicates, we only award the first report that was received, provided that it can be fully reproduced. Multiple vulnerabilities caused by one underlying issue will only be eligible for one reward.
Out of scope vulnerabilities
- Issues on outdated or unsupported versions of our plugins.
- Issues found in third-party plugins or themes.
- Clickjacking
- Brute force attacks
- Open CORS headers
- CSRF vulnerabilities
- Publicly accessible login panels
- Reports from scanners and automated tools
- CSRF on forms that are available to anonymous users (e.g. login or contact forms)
- Anything related to Mail Server Domain Misconfiguration (Email spoofing, missing DMARC, SPF/DKIM, etc.)
- Missing Best Practices that don’t pose a direct security threat will most likely not be accepted.