diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..562e02203 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +This security policy applies to public projects under the [Kit organization](https://github.com/kit) on GitHub. + +## Reporting a Vulnerability + +If you discover a security vulnerability, please report via any of the below: + +- [BugCrowd](https://docs.bugcrowd.com/researchers/reporting-managing-submissions/reporting-a-bug/#creating-a-vulnerability-report) +- [PatchStack](https://patchstack.com/database/vdp/1010ebe1-02b2-4144-8297-b8cddba0ce7d) +- [GitHub](https://github.com/Kit/convertkit-wordpress/security/advisories) +- [Email](mailto:security@kit.com) + +Please do **not** report security issues publicly via GitHub issues or discussions. Security reports sent via the above channels be acknowledged within 48 hours. + +## Security Disclosure Process + +When reporting a security vulnerability, please include: + +1. **Description** - A clear description of the vulnerability +2. **Impact** - What kind of vulnerability it is and who it impacts +3. **Reproduction** - Detailed steps to reproduce the issue +4. **Proof of Concept** - If applicable, include proof-of-concept code +5. **Suggested Fix** - If you have ideas for how to fix the issue + +## Security Response Timeline + +- **Initial Response**: Within 48 hours of receiving the report +- **Investigation**: We will investigate and validate the reported vulnerability +- **Fix Development**: Development of a patch or mitigation strategy +- **Release**: Coordinated disclosure and release of security update +- **Public Disclosure**: After users have had time to upgrade \ No newline at end of file diff --git a/readme.txt b/readme.txt index dc4cf483f..c485c4f42 100755 --- a/readme.txt +++ b/readme.txt @@ -328,6 +328,9 @@ Comprehensive documentation is available at: [Kit WordPress Plugin Setup Guide]( The documentation covers newsletter form setup, landing page configuration, membership site creation, email marketing automation, subscriber segmentation, and all plugin features for growing your email newsletter. += Where do I report security bugs found in this plugin? = +Please report security bugs found in the source code of the Kit (formerly ConvertKit) plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/1010ebe1-02b2-4144-8297-b8cddba0ce7d). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin. + == Screenshots == 1. Create stunning email newsletter subscription forms and landing pages in Kit's visual editor optimized for email subscriber conversion