We welcome reports from security researchers and organisations. Before proceeding, please read and understand the following:

https://textpattern.com/weblog/security-considerations-and-user-privileges-in-textpattern

If you wish to report a Textpattern security issue please ensure that you’ve taken care of the following security precautions:

• Take steps to ensure any vulnerability or issue is not due to a third party script, malfunctioning server, or insufficient security precautions taken by you or your server admin (such as weak passwords, for example).
• Report any and all security vulnerabilities to us first. Do not publicly disclose information about potential security bugs. It’s unhelpful, and can be damaging. We follow the RFPolicy 2.0, and expect you to in return.
• Allow us a reasonable amount of time to assess and correct the issue before sharing details with others or otherwise making details public.
• Provide details as to the nature of the vulnerability, and examples of the steps to replicate it.
• As we are a free, open-source project run by volunteers, we do not offer monetary rewards or provide ‘bug bounties’ for discovering and/or reporting security issues. All security reports should be considered free of charge and voluntary on your part. Thank you for your understanding.

Please report vulnerabilities directly to security@textpattern.com, where a member of the team will address your report.

Thank you.