This is the official vulnerability disclosure program for WPBITS Addons For Elementor Page Builder. If you're a security researcher and believe that you have found a security vulnerability within our software, please send us details through the "report" form on this page. Please include as detailed information as possible, so we could verify the issue and get back to you as soon as possible with either additional questions or with a potential fix. All valid security vulnerabilities will receive a CVE and may also earn you rewards from Patchstack Alliance bug bounty program.
Patchstack pays a fixed bounty for high value vulnerabilities.
$250Unauthenticated access leading to a full site compromise
$125Subscriber or Customer level access leading to a full site compromise
Members of the Bug Bounty program receive XP for their reports and are eligible for monthly cash rewards.
$2,000Top ranking contributor
$1,400Contributor ranking 2nd
$800Contributor ranking 3rd
$600Contributor ranking 4th
$500Contributor ranking 5th
$400Contributor ranking 6th to 10th
$200Contributor ranking 11th to 15th
$100Contributor ranking 16th to 19th
$50Contributors ranking 20th
$50Random pick
$50Random pick outside TOP20
Eligibility and responsibility
We would like to thank everyone who submits valid reports that help us improve the security of WPBITS Addons For Elementor Page Builder. However, only those that meet the following eligibility requirements may receive a monetary reward for vulnerabilities found in the WPBITS Addons For Elementor Page Builder source code.
You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below).
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through patchstack.com.
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit your requests per second). If you over do it, your IP address might be throttled or even (temporarily) blocked to protect our infrastructure. See how.
Reports on vulnerabilities are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay.
Qualifying vulnerabilities
SQL Injection
Cross Site Scripting (XSS)
Remote/Local File Inclusion
Cross-Site Request Forgery (CSRF)
Open Redirection
Bypass Vulnerability
Broken Access Control
Privilege Escalation
Arbitrary File Read/Download/Upload/Deletion
Sensitive Data Exposure
Arbitrary/Remote Code Execution
Server Side Request Forgery (SSRF)
Denial of Service
PHP Object Injection
Deserialization of untrusted data
Insecure Direct Object References (IDOR)
CSV Injection
Broken Authentication
Path Traversal
Race Condition
Non-qualifying vulnerabilities
Cross-Site Request Forgery (CSRF) on read-only actions
Pre-requisite of another vulnerability
Pre-requisite of specific or unusual conditions
Vulnerabilities that requires exotic server configurations or outdated server software
Missing encryption/hashing on potential sensitive information
Spoofing of data (User Agent, IP address, etc.) with no serious security impact
