Skip to content

Security: Yoast/yoastcs

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

This is a short excerpt of our security bounty program.

The following plugins are within the scope of this program:

  • Yoast SEO Free
  • Duplicate Post
  • Yoast SEO Premium
  • Local SEO
  • WooCommerce SEO
  • Video SEO
  • News SEO
  • Yoast SEO for Shopify
  • Yoast ACF Analysis
  • Custom Field Finder
  • WHIP
  • Test Helper

Other packages, services or infrastructure in the Yoast organisation are not eligible for bounties under the program. Responsible disclosure of discovered vulnerabilities in those, is, of course, still very much appreciated.

The rules of the bounty program

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • For duplicates, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will only be eligible for one reward.
  • When testing has an overlap with systems or services not owned by you, the tester, make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of that service. Only interact with accounts you own or with the explicit permission of the account holder.

Disclosure Policy

Please do not discuss any vulnerabilities (even resolved ones) without express consent.

Submit your report

When you've found a security issue that abides by the rules and scope of this project, please submit the report to us via [email protected]. In your mail, make sure to include:

  • the calculation of the CVSS (using the CVSS calculator);
  • the impact of the issue;
  • a detailed guide on how to reproduce the issue;
  • the email address you used to create a MyYoast-account (if applicable).

After your submission

We will make a best effort to meet the following response targets for security reports:

  • Time to first response (from report submit) - 3 business days
  • Time to triage (from report submit) - 10 business days
  • Time to bounty (from triage) - 10 business days

There aren’t any published security advisories