Responsible Security Disclosure Policy for SendWP
Reporting Security Vulnerabilities
While we try to be proactive in preventing security problems, unfortunately it is inevitable that security flaws will be discovered in all software, including our own. It is standard practice in open source to responsibly and privately disclose to the vendor — in this case Saturday Drive, the developers of SendWP — a security problem before publicizing, so a fix can be prepared, and we can take proactive steps to protect the users of SendWP.
What is a “security” issue?
A security issue is a type of bug that can affect the security of WordPress installations.
Specifically, it is a report of a bug that you have found in the code for SendWP or add-ons for SendWP, and that you have determined can be used to gain some level of access to a site running SendWP that you should not have.
Please keep in mind, there are many 3rd-party add-ons for SendWP that we do not develop. If you have found a vulnerability in a 3rd-party add-on for SendWP, while we likely can’t fix it, it’s likely we know who can and want to help keep the SendWP ecosystem healthy.
Where do I report security issues?
If you would like to contact us with a security vulnerability or possible vulnerability, please contact us via email — firstname.lastname@example.org. This address can be used for reporting vulnerabilities for any Saturday Drive product including Ninja Forms, SendWP and Caldera Forms. Please do not use this email for support.
In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public. If you have a verified vulnerability, to ensure that the vulnerability is responsibly disclosed and can be tracked by the security community, we recommend requesting a CVE ID and entering it in the WPScan Vulnerability Database