Only the latest release on the main branch receives security fixes.
| Version | Supported |
|---|---|
| Latest (main) | Yes |
| Older releases | No |
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
To report a vulnerability privately, use one of the following methods:
Use GitHub's built-in private vulnerability reporting feature. Your report will be visible only to repository maintainers.
Send a description of the vulnerability to info@developmentgateway.org. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Affected package(s) and version(s)
- Any suggested mitigations
- Acknowledgement: within 5 business days of receipt
- Status update: within 15 business days
- Fix timeline: depends on severity; critical issues are prioritized
- Credit: reporters will be credited in the security advisory unless they request anonymity
This policy covers vulnerabilities in code maintained in this repository:
packages/commons(@devgateway/dvz-wp-commons)packages/create-wp-customizer(@devgateway/create-wp-customizer)packages/upgrade-wp-customizer(@devgateway/upgrade-wp-customizer)plugins/wp-react-blocks-pluginplugins/wp-react-custom-apiplugins/wp-react-custom-rest-menu
- Vulnerabilities in WordPress itself — report to the WordPress Security Team.
- Vulnerabilities in Apache Superset — report to the Apache Security Team.
- Vulnerabilities only exploitable with valid admin credentials to the running application.
- Docker base image vulnerabilities — report to the relevant upstream image maintainers.