White Hat Reward - ManageWP

Every day we do our best to make sure ManageWP is running safely and securely. But we’re only human, and there’s always a chance that we missed something. That’s where you come in – find a weakness in our security, collect the cash reward and get listed as a contributor!

Terms for claiming your bounty

Provide us reasonable time to analyze and respond to your report and please do not disclose this information without our consent. Avoid privacy violations, deleting our data and interruption of our service during your research. You must be the first person to have reported this vulnerability.

When searching for vulnerabilities, please use a test account instead of a real account. Do not use other accounts without the consent of their owners. Our web security consultant will inform you whether your vulnerability report has qualified for our bounty after confirmation.

Please do not use automated tools that can cause service disruption. If something is not covered by this policy, or you want to test something that can cause service disruption, contact us for approval.


Only one bounty per security vulnerability will be awarded. The maximum bounty is $1,000 and it’s paid to your PayPal account. Do not submit multiple vulnerabilities with the same root issue, as separated reports. Only one report will qualify for bounty. Our rewards are tied to the security impact level:

  • Critical: $600-$1,000
  • Medium: $200-$600
  • Low: $100-$200
  • General bugs/best practice: $0

Please see description of every level, for categorization.

How to apply

To apply, please send an email to security AT managewp DOT com

It should contain:

  • complete description of the vulnerability
  • steps to reproduce it
  • screenshot
  • fix suggestion
  • testing account name
  • consequences of vulnerability


Bounties cannot be claimed for the following vulnerabilities (and we don’t recommend testing for these):

  • Security vulnerabilities in third-party websites or applications that integrate with ManageWP
  • Network or resource exhaustion attacks such as DDoS are explicitly forbidden
  • Spam or Social Engineering techniques
  • Clickjacking
  • Failure to implement security best practices such as rate limiting, minimum password strength etc
  • Improvements to WordPress standard behaviour (such as how WordPress handles reset or change of password)
  • Improvements/Vulnerabilities to 3rd party infrastructure (AWS or similar)
  • Online security scanning tools or reports from automated scanning tools that can cause service disruption
  • Attacks requiring access to a user’s device
  • Phishing or social engineering techniques
  • Self Cross-Site Scripting
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Missing security headers which do not lead directly to a vulnerability
  • Missing cookies flags
  • Open redirects
  • Use of known, vulnerable libraries without proof of exploitation such OpenSSL
  • Login or forgot password page brute force and account lockout not enforced
  • Enumeration attacks
  • Any physical attempts against property or data centers
  • Presence/absence of SPF/DMARC records
  • Software version disclosure
  • Missing cookie flags on non-sensitive cookies
  • Login/Logout CSRF
  • CSRF on forms that are available to anonymous users
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • “Theoretical” vulnerabilities without any proof or demonstration of the real presence of the vulnerability
  • BEAST/CRIME/Hearbleed/POODLE and similar well known attacks
  • Autocomplete attributes
  • Self-hacking


To qualify for a bounty, you must:

  • Adhere to our Terms for claiming your bounty (above)
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity of ManageWP user data, circumvent the privacy protections of ManageWP user data, or enable access to a system within the ManageWP infrastructure.
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • SQL injection
  • Broken Authentication and session management
  • Insecure direct object references
  • Insecure cryptographic storage
  • Circumvention of our platform/privacy permission models
  • Remote code execution
  • Privilege escalation
  • Getting around 2FA
  • Bypassing CAPTCHA

Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners. Our security team will assess each bug to determine if it qualifies.

Covered domains are:

  • orion.managewp.com
  • api2.managewp.com

Everything else is excluded without prior written consent.

Vulnerability security impact level

Every vulnerability is categorized to one of levels:

  • Critical: Remote code execution, local code execution, major authentication system bypass, SQL injections that can lead to major data leak, or any other critical that can be exploited remotely
  • Medium: Major XSS/XSRF, medium authentication bypass, medium SQL injections, important data leak etc
  • Low: This may include Security policies , minor XSS/XSRF, non-user data leak, low privacy issues etc
  • General bugs/best practice: Any other bug that is not security bug or it’s best practice recommendation.

Our mighty contributors

  • Rafay Baloch
  • Jon Cave
  • Asaf Cohen
  • Subhash Dasyam
  • Siddhesh Gawde
  • Michał Lubicz-Sienicki
  • Anand Meyyappan
  • Jinen Patel
  • Atulkumar Hariba Shedage
  • Nikhil Srivastava
  • SimranJeet Singh
  • Justin Steven
  • Sumit Shinde
  • Alaa Zaher
  • Edis Konstantini
  • Kamil Sevi
  • Anand Prakash
  • Israel Shirk
  • Missoum Said
  • Dave Hewson
  • Hari Krishnan
  • Deepanker Chawla
  • Ala Arfaoui
  • Kiran Karnad
  • Thalaivar Subu
  • Satheesh Raj
  • C.Vishnu Vardhan Reddy