Main menu

Security issues

These FAQs are specifically for submitting vulnerability and security findings that affect our WordPress plugin.

General bug reports that don't pose security risks can just be posted on the plugin forum for all to see.

How can I submit a security issue?

By email please (support at this domain).

You can make initial contact via the main contact form if you prefer. You may receive an auto-reply, but if you've given your real email address then we'll reply in person if we need more information.

Why haven't you replied?

If your issue seems genuine and non-trivial, and you are the first reporter, we WILL reply.

We're unlikely to reply to automated or speculative messages, or if we've received the same report from multiple sources. Both are common when a new version of the plugin is released.

Will you accept AI-generated reports?

Any good quality submission will be looked at, but please review what you're sending, and check it isn't already fixed in the development branch. If Claude found a problem for you, it probably found it for someone else too.

Please try to avoid unnecessarily lengthy documentation for simple issues. It requires real, human time to read through pages of AI-generated waffle.

Will I get a credit?

Genuine discoveries will get a researcher credit in the change log when the issue is fixed. In the case of duplicates, only the first person will be credited.

Feature requests won't get a credit. So if the issue is a deliberate function you simply feel is insecure, then we won't regard it as a "discovery" unless you can frame it as an attack surface we hadn't considered.

Will I get payment?

No. There are no bounties for our free plugin.

Is it fixed yet?

Please don't prod us for updates. If an issue seems serious then we'll fix it quickly, and you'll see it reflected in the change log. Check the development version of readme.txt if a new version hasn't been released yet.

If it's not fixed after several weeks, then probably we don't think the issue is as critical as you do. If you'd planned to disclose it, just go ahead. It's unlikely that we'd ask for an extension, but if we were worried about fixing it by your deadline, you'd have heard from us.

Last updated by