From 60a2288220954b6e0dcbdaa35a56b32f67619b83 Mon Sep 17 00:00:00 2001 From: Tim Carr Date: Tue, 7 Jul 2026 17:09:31 +0800 Subject: [PATCH 1/2] Add Security Disclosure Policy --- SECURITY.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..26333e9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +This security policy applies to public projects under the [Kit organization](https://github.com/kit) on GitHub. + +## Reporting a Vulnerability + +If you discover a security vulnerability, please report via any of the below: + +- [BugCrowd](https://docs.bugcrowd.com/researchers/reporting-managing-submissions/reporting-a-bug/#creating-a-vulnerability-report) +- [PatchStack]() +- [GitHub](https://github.com/Kit/convertkit-wpforms/security/advisories) +- [Email](mailto:security@kit.com) + +Please do **not** report security issues publicly via GitHub issues or discussions. Security reports sent via the above channels be acknowledged within 48 hours. + +## Security Disclosure Process + +When reporting a security vulnerability, please include: + +1. **Description** - A clear description of the vulnerability +2. **Impact** - What kind of vulnerability it is and who it impacts +3. **Reproduction** - Detailed steps to reproduce the issue +4. **Proof of Concept** - If applicable, include proof-of-concept code +5. **Suggested Fix** - If you have ideas for how to fix the issue + +## Security Response Timeline + +- **Initial Response**: Within 48 hours of receiving the report +- **Investigation**: We will investigate and validate the reported vulnerability +- **Fix Development**: Development of a patch or mitigation strategy +- **Release**: Coordinated disclosure and release of security update +- **Public Disclosure**: After users have had time to upgrade \ No newline at end of file From 45128fd46337fb414b7a731833115432c196c3be Mon Sep 17 00:00:00 2001 From: Tim Carr Date: Wed, 8 Jul 2026 15:51:32 +0800 Subject: [PATCH 2/2] Add PatchStack readme validation --- SECURITY.md | 4 ++-- readme.txt | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 26333e9..8c1cbf4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,8 +6,8 @@ This security policy applies to public projects under the [Kit organization](htt If you discover a security vulnerability, please report via any of the below: -- [BugCrowd](https://docs.bugcrowd.com/researchers/reporting-managing-submissions/reporting-a-bug/#creating-a-vulnerability-report) -- [PatchStack]() +- [Kit](https://kit.com/report-vulnerability) +- [PatchStack](https://patchstack.com/database/vdp/48836c47-fab2-44e1-a46d-05f3fcae6c13) - [GitHub](https://github.com/Kit/convertkit-wpforms/security/advisories) - [Email](mailto:security@kit.com) diff --git a/readme.txt b/readme.txt index fa6d582..0345df0 100644 --- a/readme.txt +++ b/readme.txt @@ -35,6 +35,9 @@ Full plugin documentation is located [here](https://cultivatewp.com/our-plugins/ No. You must first have an account on kit.com, but you do not have to use a paid plan! += Where do I report security bugs found in this plugin? = +Please report security bugs found in the source code of the plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/48836c47-fab2-44e1-a46d-05f3fcae6c13). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin. + == Screenshots == 1. WPForms Kit API Connections at WPForms > Settings > Integrations > Kit