Found a security issue or vulnerability in LifterLMS or any of our related codebases? Please let us know by submitting a vulnerability report here.
Communication
All vulnerability disclosure must be submitted on through this contact form. Following the submission of a vulnerability, we will communicate you about your report exclusively through email.
Do not submit vulnerability reports on any of our GitHub repositories, social media, or direct message.
Rewards
At this time we are not issuing monetary rewards for vulnerability reports.
We will provide you with credit for reports with your name (and an optional link) in our changelog when the reported issue is remediated.
Targets, Scope, and Program Details
In Scope
The following eligible targets are distributed WordPress plugins and themes which the LifterLMS team develops and offers to our users and customers.
All of our plugins and themes require WordPress to function.
Access to our paid add-on plugins and themes are available to researchers upon request for security research purposes only.
Focus efforts on our free plugin and premium software; not our websites.
Out of Scope
The majority of the testable code is powering our internal websites uses open-source software such as WordPress, WooCommerce, Yoast SEO, and other WordPress plugins. Any vulnerabilities found in these code bases should be reported directly to the maintainers or developers of the software.
- Do not run automated scans against our internal web properties.
- Do not use bots to submit any forms on our internal websites.
Eligibility and Responsible Disclosure
You are responsible for complying with all applicable laws and must only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products, services, or codebases. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.