Security Policy
We appreciate any vulnerabilities disclosed responsibly to River Security. Please see https://riversecurity.eu/.well-known/security.txt for information on how to report anything outstanding.
In advance, thank you for your service. If a bug report is considered in-scope and something River Security is looking to fix, we might reward bug bounty hunters with for example swag such as stickers, t-shirt/hoodie, challenge coin. We do not reward bounty for findings such as missing security headers , missing best practices, features turned on and working as intended but which could theoretically be abused, including:
- Missing web security or mail security headers or configuration
- WP-Cron enabled in WordPress
- XMLRPC API
- Version numbers not at the latest version (unless you can demonstrate practical impact on Confidentiality, Integrity or Availability)
- TLS configuration
- Software version information leakage
- Missing rate limiting on non critical features
Known Issues or Wont Fix
- Enumeration of files, posts, content via REST API, or WordPress functionality, is accepted and per our intentions.
- Denial of Service attacks, for example resource-exhaustion via load.php.