Security Policy

We appreciate any vulnerabilities disclosed responsibly to River Security. Please see https://riversecurity.eu/.well-known/security.txt for information on how to report anything outstanding.

In advance, thank you for your service. If a bug report is considered in-scope and something River Security is looking to fix, we might reward bug bounty hunters with for example swag such as stickers, t-shirt/hoodie, challenge coin. We do not reward bounty for findings such as missing security headers , missing best practices, features turned on and working as intended but which could theoretically be abused, including:

  • Missing web security or mail security headers or configuration
  • WP-Cron enabled in WordPress
  • XMLRPC API
  • Version numbers not at the latest version (unless you can demonstrate practical impact on Confidentiality, Integrity or Availability)
  • TLS configuration
  • Software version information leakage
  • Missing rate limiting on non critical features
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions, e.g.: login/logout/search.
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies that are not sensitive (e.g. missing flags on authentication cookies are in scope).
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tabnabbing.

Known Issues or Wont Fix

  • Enumeration of files, posts,users, content, etc. via REST API, or WordPress functionality, is accepted and per our intentions.
  • Denial of Service attacks, for example resource-exhaustion via load.php.