From ff3e3be1ad34f9ec13c79e00d7ac3df5033103c6 Mon Sep 17 00:00:00 2001 From: Barry Kooij Date: Sat, 1 Oct 2022 14:47:26 +0200 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..28dc03a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ +# related-posts-for-wp's Security Policy + +Welcome and thanks for taking interest in related-posts-for-wp! + +We are mostly interested in reports by actual related-posts-for-wp users, but all high quality contributions are welcome. + +Please try your best to describe a clear and realistic impact for your report, and please don't open any public issues on GitHub or social media, we're doing our best to respond through huntr as quickly as we can. + +With that, good luck hacking us ;) + +## Supported Versions + +Please always test your found vulnerabilities against the latest version [master branch](https://github.com/barrykooij/related-posts-for-wp/tree/master). This is the only supported version. + + +## Qualifying Vulnerabilities + +### Vulnerabilities we really care about 🫣 +- Remote command execution +- SQL Injection +- Authentication bypass +- Privilege Escalation +- Cross-site scripting (XSS) +- Performing limited admin actions without authorization +- CSRF + +### Vulnerabilities we accept 🙂 + +- Open redirects +- Password brute-forcing that circumvents rate limiting + + + +## Non-Qualifying Vulnerabilities + +- Reports from automated tools or scanners +- Theoretical attacks without proof of exploitability +- Attacks that are the result of a third party library should be reported to the library maintainers +- Social engineering +- Reflected file download +- Physical attacks +- Weak SSL/TLS/SSH algorithms or protocols +- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle). +- The user attacks themselves + + +## Reporting a Vulnerability + +Vulnerability can be reported via email to support@relatedpostsforwp.com or via [Huntr](https://huntr.dev/repos/barrykooij/related-posts-for-wp/)