Our Commitment to Security

We take security seriously. WP Secure Stack depends on the WordPress security community to help us find and fix vulnerabilities responsibly.

This policy tells you how to report security issues to us and what we do with that information.

What We Want You to Report

✅ Report These Issues

We want you to tell us about:

• Vulnerabilities in WordPress plugins that we reviewed or recommend
• Security flaws in the Extendable theme that we use
• Vulnerabilities on wpsecurestack.com itself
• Security weaknesses in services we suggest (hosting, security tools, etc.)
• Zero-day exploits affecting WordPress or security tools
• Authentication bypass vulnerabilities
• Data exposure or information disclosure
• Privilege escalation bugs
• Injection vulnerabilities (SQL, command, etc.)
• Any other security issue you think we should know about

❌ Don’t Report These

We don’t handle:

• Spam or phishing complaints (report to the platform)
• User account access issues (contact our support team)
• Complaints about content or blog posts (email [email protected])
• Questions about security (post in our contact form)
• Site availability or performance issues (contact support)
• Non-security bugs in third-party software (report to the vendor)

How to Report a Vulnerability

Step 1: Check First

Before reporting, verify:

• You actually found a real vulnerability (not a feature)
• You can reproduce it consistently
• You’ve tested it carefully
• You understand what it does

Step 2: Contact Us

Email: [email protected]

Send us:

• Subject: “Security Vulnerability Report”
• Your name and contact information
• Description of the vulnerability (be specific)
• Steps to reproduce it (numbered list)
• Potential impact (how serious is it?)
• Affected versions (which WordPress versions, plugins, etc.)
• Proof of concept (screenshots, code, demo link if safe)

Step 3: Provide Details

The more details you give us, the faster we fix it:

Vulnerability: SQL Injection in [Plugin Name]

Severity: High

Affected Version: 1.0.0 – 1.2.3

Steps to Reproduce:

1. Install [plugin name]

2. Go to Settings > [Plugin Settings]

3. Enter ‘ OR 1=1 — in [field name]

4. Submit form

5. Check database – all user data is exposed

Impact: Attackers can steal all user data from any WordPress site using this plugin

Step 4: Wait for Our Response

We respond within 3 business days to acknowledge receipt.

We tell you:

• We received your report
• We’re investigating
• Our timeline for fixing it
• Who to contact with questions

What We Do With Your Report

1. We Investigate

We verify the vulnerability you reported. We test it on multiple WordPress versions and configurations.

2. We Contact the Vendor (If Needed)

If you found a vulnerability in a third-party plugin or theme, we contact the developer. We give them time to patch it before we disclose it.

3. We Create a Fix

If the vulnerability affects us, we fix it. If it affects a plugin we recommend, we work with the author.

4. We Notify You

We tell you:

• What we found
• What we’re doing about it
• When we’ll release the fix
• How you can help test it

5. We Publish a Disclosure

After we fix the issue, we publish it. We give proper credit to the researcher (you) who reported it.

Timeline & Expectations

Our Process

Day 1-3: We acknowledge your report and thank you

Day 3-7: We confirm we can reproduce the vulnerability

Day 7-14: We develop and test a fix

Day 14-30: We release the fix publicly

Day 30: We publish a detailed security advisory with credit to you

Total: Typically 30 days from report to public disclosure

Your Part

We ask you to:

• Not disclose the vulnerability publicly before we patch it
• Not share it with others without permission
• Keep it confidential until we publish our advisory
• Not access data or systems you don’t have permission to access
• Not harm any systems or data while testing

We understand urgent situations exist. If a vulnerability is actively being exploited, we accelerate our timeline and publish fixes within 3-7 days.

Public Disclosure Timeline

What Happens After We Fix It

Security Advisory We publish a detailed blog post on wpsecurestack.com that includes:

• Description of the vulnerability
• Affected versions
• How to fix it
• Your name as the discoverer (unless you ask to remain anonymous)
• Thank you and credit

Example:

“WP Secure Stack Security Advisory: SQL Injection in [Plugin Name]

Discoverer: [Your Name] (or Anonymous at your request)

Date: May 30, 2026

Severity: High

CVSS Score: 8.2

We want to thank [Your Name] for responsibly reporting this vulnerability…”

What You Get

Recognition

We credit you publicly for finding the security issue:

• Your name in our advisory
• Link to your website (if you want)
• Social media credit
• Recognition in our newsletter
• Badge on your profile (if you have a WP Secure Stack account)

Bounty (If Applicable)

For now, we offer recognition and thanks. If our budget allows in the future, we’ll establish a bug bounty program with payment. We’ll update this policy when that changes.

Early Access

We may ask you to test our fix before we publish it. We’ll provide:

• Test environments
• Early access to patches
• A chance to verify the fix works

Safe Harbor Guarantee

We promise we will not:

• ❌ Press charges against you
• ❌ Report you to law enforcement
• ❌ Take legal action against you
• ❌ Demand payment from you
• ❌ Publicly shame or blame you
• ❌ Terminate your access to our site

In exchange, you promise you will:

• ✅ Not access data you don’t have permission to access
• ✅ Not modify or delete data or systems
• ✅ Not disrupt our services
• ✅ Not cause harm to users or systems
• ✅ Not test on production systems without permission
• ✅ Keep the vulnerability confidential until we disclose it

Special Cases

Zero-Day Vulnerabilities

If you discover a zero-day (vulnerability unknown to vendors):

1. You contact the vendor first
2. You give them 30 days to patch
3. You tell us after the vendor knows
4. We work with the vendor on a coordinated disclosure

We appreciate researchers who follow responsible disclosure with vendors first.

Actively Exploited Vulnerabilities

If a vulnerability is actively being attacked:

1. You tell us immediately
2. We skip the normal timeline
3. We release a fix within 3-7 days
4. We publish a warning immediately

Your safety is more important than our process.

Vulnerabilities in WordPress Core

If you find a vulnerability in WordPress itself:

Report it directly to:

• Email: [email protected]
• Website: https://wordpress.org/support/article/reporting-security-issues/

We support WordPress’s responsible disclosure process. Don’t wait for us—report directly to the WordPress Security Team.

Vulnerabilities in Third-Party Software

If you find a vulnerability in software we didn’t create:

1. Report to the vendor first (best practice)
2. Then tell us so we can warn our readers
3. Keep it confidential until the vendor patches it

We work with vendors to ensure coordinated disclosures.

Questions?

Before You Report

If you’re not sure whether something is a vulnerability, ask us first:

Email: [email protected]

Subject: “Question about potential vulnerability”

We’ll help you figure it out without requiring a full report.

During Your Report

If you have questions while reporting:

Email: [email protected]

Include:

• Your reference number (we give you this)
• Your specific question
• What information you need

We respond within 3 business days.

After We Receive Your Report

We assign you a reference number:

Example: WPSS-2026-0042

Use this number in all communication about your report. It helps us track your issue.

Rules of the Game

You Can

✅ Test the vulnerability on your own systems

✅ Test on staging/test environments

✅ Document your findings with screenshots

✅ Use proof-of-concept code

✅ Ask questions about the process

✅ Request anonymity

✅ Ask for recognition

✅ Share your report after we publish our advisory

You Can’t

❌ Access production systems without permission

❌ Exploit the vulnerability for data or money

❌ Publicly disclose before we patch

❌ Share with competitors or other researchers

❌ Modify or delete data to prove the point

❌ Access other users’ accounts or information

❌ Disrupt services or cause downtime

❌ Demand payment or bounty (yet)

❌ Threaten or blackmail

❌ Sell the information

Break these rules, and we report you to authorities. Follow them, and we protect you.

Scope: What This Policy Covers

✅ In Scope

• wpsecurestack.com and all subdomains
• Our WordPress plugins (if we create any)
• Our WordPress theme (Extendable child theme)
• Our recommendations and resources
• Services we promote or link to
• Content security vulnerabilities

❌ Out of Scope

• Third-party websites we link to (report to them)
• External plugins and themes (report to the vendor)
• WordPress core (report to wordpress.org)
• Advertising networks on our site
• User-submitted comments and content
• Social media accounts
• Our employees’ personal accounts

Privacy During the Process

What We Keep Secret

During the vulnerability fix process:

• Your identity (unless you give permission to share)
• Vulnerability details (until we patch and disclose)
• Timeline and discussions (until public disclosure)
• Your personal information (never shared with anyone)

What We Share

After we fix and disclose:

• Vulnerability description (public advisory)
• Your name as discoverer (unless you want anonymity)
• Timeline (how long it took to fix)
• Thank you message (public credit)

We never share:

• Your contact information
• Your location or identity details
• Private communications
• Your other vulnerabilities you mentioned in passing

After Disclosure

You Can Share

After we publish our advisory, you can:

✅ Write a blog post about it

✅ Present at conferences

✅ Share the advisory

✅ Discuss the vulnerability

✅ Include it in your portfolio

✅ Apply for jobs based on this find

We’ll Help

We’ll:

✅ Link to your blog post

✅ Share your advisory on social media

✅ Include you in our newsletter

✅ Retweet your findings

✅ Help you gain recognition

Thank You

We genuinely appreciate security researchers who report vulnerabilities responsibly.

You help us keep WordPress security strong. You help site owners stay safe. You help the entire WordPress community.

We’re in this together.

Summary

The Simple Version:

1. You find a vulnerability
2. You email us at [email protected]
3. You tell us details and steps to reproduce
4. You keep it confidential
5. We investigate within 3 days
6. We fix it
7. We publish an advisory with your name
8. We thank you publicly

That’s it. Easy. Responsible. Safe for everyone.

Questions?

Security Issues: [email protected]

General Feedback: [email protected]

Contact Form: https://wpsecurestack.com/contact/

We respond to all security emails within 3 business days.

Thank you for helping WP Secure Stack and the WordPress community stay secure.