Vulnerability Disclosure Policy

As a provider of security software, services, and research, we take security issues very seriously and strive to lead by example. We recognize the importance of collaboration between vendors, researchers, and customers and seek to improve the safety and security of the community as a whole through a coordinated disclosure process.

This policy outlines the steps researchers should take to report security issues to Wordfence, as well as the process we use when disclosing vulnerabilities to other vendors.

Reporting Security Issues to Wordfence in WordPress Plugins, Themes, and Core for CVE Assignment.

Contact the Wordfence Threat Intelligence Team by sending an email to security@wordfence.com in the following situations:

    • You have identified a potential security vulnerability in a WordPress plugin.
    • You have identified a potential security vulnerability in a WordPress theme.
    • You have identified a potential security vulnerability in a WordPress core.

    When reporting vulnerabilities to Wordfence for WordPress plugins, themes, or WordPress core, please include the following details:

    • A concise description of the vulnerability.
    • A proof of concept – that is, how the vulnerability could potentially be exploited.
    • What software component in our scope is affected – namely, which plugin or theme is affected, or which part of WordPress core.
    • The version number(s) affected.
    • The name(s) of individuals you would like credited for the discovery – or indicate if you would like to remain anonymous.
    • Any other additional information as appropriate.

    Though not required, we encourage you to encrypt any sensitive information you send to us via email. We are equipped to receive messages encrypted using our public PGP key.

    The Wordfence Threat Intelligence team will review your findings and report back within 1-3 business days with a CVE ID assignment or a request for additional information. Assigned CVE IDs are listed on our site under Vulnerability Advisories.

    Reporting Security Issues in Wordfence Products to Wordfence

    Contact the Wordfence Security Team by sending email to security@wordfence.com in the following situations:

    • You have identified a potential security vulnerability with one of our products;
    • You have identified a potential security vulnerability with one of our services.

    To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email. We are equipped to receive messages encrypted using our public PGP key.

    After your incident report is received, the appropriate personnel will contact you to follow-up. Wordfence attempts to acknowledge receipt to all submitted reports within seven days.

    The security@wordfence.com email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please visit https://support.wordfence.com.

    Software Vulnerability Disclosure and Remediation Process

    When the Wordfence Threat Intelligence Team finds a vulnerability in another vendor’s product, or if a vulnerability affecting our plugin is disclosed to us, we take the following steps to address the issue. “Vendor” below may refer to us or to an external vendor.

    1. Our Threat Intelligence team verifies the vulnerability and determines severity.
    2. Where possible, we develop a firewall rule to protect our customers. This rule is obfuscated to prevent reverse engineering.
    3. We notify the vendor, if necessary, and simultaneously release a firewall rule to protect our premium customers via the Threat Defense Feed. Customer sites are updated immediately with the rule and no customer action is required.
    4. Details of the vulnerability may be published after the following deadlines, based on the date the vendor was notified:
      1. 30 days if vendor acknowledges our report within 14 days of initial contact
      2. 14 days if vendor does not acknowledge our report within 14 days of initial contact
      3. At our discretion if the vulnerability is being actively exploited to inform and protect the WordPress community
      4. If a deadline would fall on a weekend or holiday, the deadline will be placed on the earliest following business day
    5. Once the vendor releases a fix, or a disclosure deadline is reached, we announce the existence of the vulnerability to encourage the community to upgrade.
    6. Wordfence community (free) customers receive the firewall rule 30 days after the initial release to Premium customers.

    All aspects of this process are subject to change without notice, and to case-by-case exceptions.

    Service Vulnerability Disclosure Policy

    We define a service vulnerability as any issue with a technology service that represents an exploitable security risk for its users. We draw a distinction between service and software vulnerabilities, because in many cases, the service vulnerability is due to configuration issues instead of a software bug.
    When the Wordfence Security Services Team discovers a security vulnerability in a service, such as WordPress hosting, we take the following steps to address the issue:

    1. Our Threat Intelligence team verifies the vulnerability and determines severity.
    2. Details of the vulnerability may be published after the following deadlines, based on the date the vendor was notified:
      • 30 days if vendor acknowledges our report within 14 days of initial contact
      • 14 days if vendor does not acknowledge our report within 14 days of initial contact
      • At our discretion if the vulnerability is being actively exploited to inform and protect the WordPress community
      • If a deadline would fall on a weekend or holiday, the deadline will be placed on the earliest following business day
    3. Where this service vulnerability directly affects a customer, we may notify that customer if there are actions they can take to remediate the issue and/or consider changing hosting providers. We will not provide technical details of the service vulnerability until we disclose publicly.
    4. The service provider releases a fix or the deadline passes, and we announce the vulnerability via our blog.

    All aspects of this process are subject to change without notice, and to case-by-case exceptions.