Submit a security report for our plugin(s)

As one of the largest plugins in the WordPress ecosystem, we have an obligation to make and keep our products as safe as possible. Creativity is key with security, and we admit we can’t possibly cover all our bases. That’s why we ask our users and the security community to submit any findings regarding security directly to us. This article describes how to submit your report, our guidelines and the rewards.

The rewards

To start this off, let’s see what we offer for any security reports:

SeverityReward
Critical$2,000
High$1,000
Medium$300
Low$150
Informative

The severity is based on the CVSS (Common Vulnerability Scoring System). When submitting your security report, make sure to include a calculation of the CVSS. The reward table provides general guidelines, and all final decisions are at the discretion of Yoast.

The premises / scope of this program

The scope of this program is (the latest version of) our plugins. Specifically:

  • Yoast SEO Free
  • Duplicate Post (free)
  • Yoast SEO Premium (paid)
  • Local SEO (paid)
  • WooCommerce SEO (paid)
  • Video SEO (paid)
  • News SEO (paid)
  • Yoast SEO for Shopify (paid, with trial)
  • Yoast ACF Analysis (free)
  • Custom Field Finder (free)
  • WHIP (free)
  • Test Helper (free)

All other Yoast-related products and services are not included in the scope of this program. This includes the Yoast website and customer portal. Although if you find a severe security flaw there, please do notify us.

Issues with WordPress / Yoast plugins that are out of scope:

  • Yoast SEO version number disclosure.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Users with administrator or editor privileges can post arbitrary JavaScript.
  • Output from automated scans – please manually verify issues and include a valid Proof of Concept.
  • Theoretical vulnerabilities where you can’t demonstrate a significant security impact with a Proof of Concept.
  • Not following security best practices – without a working Proof of Concept.

In regards to the last 2 items, please scroll down to “Automated / AI scans and static code analysis”.

How to…

Obtain a copy of our plugins for testing

Our free plugin is obtainable via wordpress.org at https://wordpress.org/plugins/wordpress-seo/

If you want one of our paid plugins for security testing, please contact us at security@yoast.com, providing a plan what you are going to do.

The rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • For duplicates, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will only be eligible for one reward.
  • When testing has an overlap with systems or services not owned by you, the tester, make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of that service. Only interact with accounts you own or with the explicit permission of the account holder.

Disclosure Policy

Please do not discuss any vulnerabilities (even resolved ones) without express consent.

Submit your report

When you’ve found a security issue that abides by the rules and scope of this project, please submit the report to us via security@yoast.com. In your mail, make sure to include:

  • The calculation of the CVSS (using the calculator)
  • The impact of the issue
  • A detailed guide on how to reproduce the issue
  • Provide the email address you used to create a MyYoast-account

After your submission

We will make a best effort to meet the following response targets for security reports:

  • Time to first response (from report submit) – 3 business days
  • Time to triage (from report submit) – 10 business days
  • Time to bounty (from triage) – 10 business days

We aim to keep you informed about our progress throughout the process.

Automated / AI scans and static code analysis

Our plugins are used in a broad ecosystem of plugins, themes, custom code, updates, servers, et cetera. That means our code sometimes relies on others’ code, and others’ code sometimes relies on ours. This creates a situation wherein context is incredibly important, which is why so many AI and static code analysis of our plugins’ code can return with a list of false positives. A lot of our code is therefore annotated with comments that indicate why certain code is written the way it is and properly configured automated scans know how to deal with these annotations.

This is why we will not accept unsubstantiated submissions of automated scans or broad security audits. If you are a company that regularly scans and audits their plugins (good on you, really) and you have procured a list of “vulnerabilities” in our products, please manually verify these findings yourself. You will often find that the code that is being flagged is annotated in one way or another and if it is not annotated already, it is likely still not vulnerable in a way. However; if it is vulnerable and you have a proof of concept to reproduce the vulnerability, feel free to contact us!

Reports with invalid findings that we deem automated or AI generated will not be replied to and will be marked as spam.