Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3f8d40d
commit ff3e3be
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# related-posts-for-wp's Security Policy | ||
|
||
Welcome and thanks for taking interest in related-posts-for-wp! | ||
|
||
We are mostly interested in reports by actual related-posts-for-wp users, but all high quality contributions are welcome. | ||
|
||
Please try your best to describe a clear and realistic impact for your report, and please don't open any public issues on GitHub or social media, we're doing our best to respond through huntr as quickly as we can. | ||
|
||
With that, good luck hacking us ;) | ||
|
||
## Supported Versions | ||
|
||
Please always test your found vulnerabilities against the latest version [master branch](https://github.com/barrykooij/related-posts-for-wp/tree/master). This is the only supported version. | ||
|
||
|
||
## Qualifying Vulnerabilities | ||
|
||
### Vulnerabilities we really care about 🫣 | ||
- Remote command execution | ||
- SQL Injection | ||
- Authentication bypass | ||
- Privilege Escalation | ||
- Cross-site scripting (XSS) | ||
- Performing limited admin actions without authorization | ||
- CSRF | ||
|
||
### Vulnerabilities we accept 🙂 | ||
|
||
- Open redirects | ||
- Password brute-forcing that circumvents rate limiting | ||
|
||
|
||
|
||
## Non-Qualifying Vulnerabilities | ||
|
||
- Reports from automated tools or scanners | ||
- Theoretical attacks without proof of exploitability | ||
- Attacks that are the result of a third party library should be reported to the library maintainers | ||
- Social engineering | ||
- Reflected file download | ||
- Physical attacks | ||
- Weak SSL/TLS/SSH algorithms or protocols | ||
- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle). | ||
- The user attacks themselves | ||
|
||
|
||
## Reporting a Vulnerability | ||
|
||
Vulnerability can be reported via email to support@relatedpostsforwp.com or via [Huntr](https://huntr.dev/repos/barrykooij/related-posts-for-wp/) |