Security Policy

We appreciate any vulnerabilities disclosed responsibly to River Security. Please see https://riversecurity.eu/.well-known/security.txt for information on how to report anything outstanding.

In advance, thank you for your service. If a bug report is considered in-scope and something River Security is looking to fix, we might reward bug bounty hunters with for example swag such as stickers, t-shirt/hoodie, challenge coin. We do not reward bounty for findings such as missing security headers , missing best practices, features turned on and working as intended but which could theoretically be abused, including:

  • Missing web security or mail security headers or configuration
  • WP-Cron enabled in WordPress
  • XMLRPC API
  • Version numbers not at the latest version (unless you can demonstrate practical impact on Confidentiality, Integrity or Availability)
  • TLS configuration
  • Software version information leakage
  • Missing rate limiting on non critical features

Known Issues or Wont Fix

  • Enumeration of files, posts, content via REST API, or WordPress functionality, is accepted and per our intentions.
  • Denial of Service attacks, for example resource-exhaustion via load.php.