diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8c1cbf4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +This security policy applies to public projects under the [Kit organization](https://github.com/kit) on GitHub. + +## Reporting a Vulnerability + +If you discover a security vulnerability, please report via any of the below: + +- [Kit](https://kit.com/report-vulnerability) +- [PatchStack](https://patchstack.com/database/vdp/48836c47-fab2-44e1-a46d-05f3fcae6c13) +- [GitHub](https://github.com/Kit/convertkit-wpforms/security/advisories) +- [Email](mailto:security@kit.com) + +Please do **not** report security issues publicly via GitHub issues or discussions. Security reports sent via the above channels be acknowledged within 48 hours. + +## Security Disclosure Process + +When reporting a security vulnerability, please include: + +1. **Description** - A clear description of the vulnerability +2. **Impact** - What kind of vulnerability it is and who it impacts +3. **Reproduction** - Detailed steps to reproduce the issue +4. **Proof of Concept** - If applicable, include proof-of-concept code +5. **Suggested Fix** - If you have ideas for how to fix the issue + +## Security Response Timeline + +- **Initial Response**: Within 48 hours of receiving the report +- **Investigation**: We will investigate and validate the reported vulnerability +- **Fix Development**: Development of a patch or mitigation strategy +- **Release**: Coordinated disclosure and release of security update +- **Public Disclosure**: After users have had time to upgrade \ No newline at end of file diff --git a/readme.txt b/readme.txt index fa6d582..0345df0 100644 --- a/readme.txt +++ b/readme.txt @@ -35,6 +35,9 @@ Full plugin documentation is located [here](https://cultivatewp.com/our-plugins/ No. You must first have an account on kit.com, but you do not have to use a paid plan! += Where do I report security bugs found in this plugin? = +Please report security bugs found in the source code of the plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/48836c47-fab2-44e1-a46d-05f3fcae6c13). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin. + == Screenshots == 1. WPForms Kit API Connections at WPForms > Settings > Integrations > Kit