Responsible Disclosure

Responsible Disclosure of Security Vulnerabilities

Reporting security issues

If you’ve discovered a security vulnerability, I appreciate your help in disclosing it to me in a responsible manner.

I’ll work with you to make sure that i understand the scope of the issue, and that we fully address your concern. If you believe you have discovered a vulnerability or have a security incident to report, please email Please include a detailed summary of the issue you discovered. Be sure to include an email address where i can reach you in case i need more information.

Please act in good faith towards our users’ privacy and data during your disclosure. I won’t take legal or administrative action against you or your account if you act accordingly: White hat researchers are always appreciated.

Please do report:

  • Persistent Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication
  • Circumvention of our framework’s privacy and permission models
  • Remote Code Execution

Please do not report:

  • Outdated versions of WordPress with no known vulnerabilities
  • Username enumeration
  • Self-XSS
  • Missing DNS SPF records

I will assess each bug to determine if it qualifies. I’ll do my best to respond to your reports in a timely manner. I aim to respond within 1 business day, however some reports take longer than others to investigate. Repeated emails will NOT result in a quicker response, and may bump your report to the end of the queue.


Thank you for your help with keeping my site safe. I really appreciate it.