deconf.com

Analytics Insights for WordPress – Security Program

Every day we do our best to make sure Analytics Insights for WordPress (GADWP) is safe and secure. But we’re only human, and there’s always a chance that we missed something. That’s where you come in – find a security weakness in our plugin, report it on deconf.com, and get listed as a contributor!

Policy

Analytics Insights for WordPress (GADWP) is an open-source plugin which connects Google Analytics with your website and displays a comprehensive Analytics Dashboard on your administration area. You can find the source code on GitHub and submit security reports at deconf.com.

Responsible Disclosure Guidelines

We are committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC)
  • Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites (please, consider installing AIWP locally)
  • Give us a reasonable time to correct the issue before making any information public

Qualifying Vulnerabilities

Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)

We generally aren’t interested in the following problems:

  • Security vulnerabilities in WordPress core: here is where you can report them
  • Reports for hacked websites: here is what you can do
  • Open API endpoints serving public data
  • Path disclosures for errors, warnings, or notices
  • Plugin version number disclosure
  • Mixed content warnings
  • Lack of HTTP security headers
  • Brute force, DDoS, phishing, text injection, or social engineering attacks
  • Google Analytics platform and resources related issues
  • Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score
  • Output from automated scans – please manually verify issues and include a valid proof of concept

If you think you found an exception, please, let us know.

Thank you for helping keep GADWP and our users safe!