Responsible Disclosure of Security Vulnerabilities
Reporting security issues
If you’ve discovered a security vulnerability, I appreciate your help in disclosing it to me in a responsible manner.
I’ll work with you to make sure that i understand the scope of the issue, and that we fully address your concern. If you believe you have discovered a vulnerability or have a security incident to report, please email firstname.lastname@example.org. Please include a detailed summary of the issue you discovered. Be sure to include an email address where i can reach you in case i need more information.
Please act in good faith towards our users’ privacy and data during your disclosure. I won’t take legal or administrative action against you or your account if you act accordingly: White hat researchers are always appreciated.
Please do report:
- Persistent Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication
- Circumvention of our framework’s privacy and permission models
- Remote Code Execution
Please do not report:
- Outdated versions of WordPress with no known vulnerabilities
- Username enumeration
- Missing DNS SPF records
I will assess each bug to determine if it qualifies. I’ll do my best to respond to your reports in a timely manner. I aim to respond within 1 business day, however some reports take longer than others to investigate. Repeated emails will NOT result in a quicker response, and may bump your report to the end of the queue.
Thank you for your help with keeping my site safe. I really appreciate it.