Skip to content

Latest commit

 

History

History
54 lines (36 loc) · 2.04 KB

File metadata and controls

54 lines (36 loc) · 2.04 KB

Security Policy

Supported Versions

Only the latest release on the main branch receives security fixes.

Version Supported
Latest (main) Yes
Older releases No

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.

To report a vulnerability privately, use one of the following methods:

Option 1 — GitHub Private Vulnerability Reporting (preferred)

Use GitHub's built-in private vulnerability reporting feature. Your report will be visible only to repository maintainers.

Option 2 — Email

Send a description of the vulnerability to info@developmentgateway.org. Include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce or a proof-of-concept
  • Affected package(s) and version(s)
  • Any suggested mitigations

What to Expect

  • Acknowledgement: within 5 business days of receipt
  • Status update: within 15 business days
  • Fix timeline: depends on severity; critical issues are prioritized
  • Credit: reporters will be credited in the security advisory unless they request anonymity

Scope

This policy covers vulnerabilities in code maintained in this repository:

  • packages/commons (@devgateway/dvz-wp-commons)
  • packages/create-wp-customizer (@devgateway/create-wp-customizer)
  • packages/upgrade-wp-customizer (@devgateway/upgrade-wp-customizer)
  • plugins/wp-react-blocks-plugin
  • plugins/wp-react-custom-api
  • plugins/wp-react-custom-rest-menu

Out of Scope

  • Vulnerabilities in WordPress itself — report to the WordPress Security Team.
  • Vulnerabilities in Apache Superset — report to the Apache Security Team.
  • Vulnerabilities only exploitable with valid admin credentials to the running application.
  • Docker base image vulnerabilities — report to the relevant upstream image maintainers.