Security

How to responsibly report a vulnerability, how we respond, and the public record of past advisories.

Reporting a vulnerability

If you believe you have found a security issue in PerfLocale, please report it to us privately first so we can investigate and issue a fix before the details become public. This protects every site running PerfLocale while we work on a patch.

Email: security@perflocale.com

In your report, please include as much of the following as you can:

  • A description of the issue and why you believe it's a security problem.
  • Steps to reproduce it on a fresh WordPress install with PerfLocale active. A minimal proof-of-concept helps us confirm the scope.
  • The PerfLocale version, WordPress version, and PHP version you tested against.
  • Any ideas you have for mitigation or a fix. These are always welcome but never required.

Please don't open a public GitHub issue or a blog post about the vulnerability before we've had a chance to fix it. Coordinated disclosure keeps users safe.

What you can expect from us

  • Acknowledgement within 72 hours. We will confirm we received your report.
  • Initial triage within 7 days. We will tell you whether we consider the report a valid security issue, how severe we believe it is, and our tentative timeline for a fix.
  • Fix and public advisory. Once a patched release is available, we will publish an advisory on this page crediting you (unless you prefer to stay anonymous) and describing the issue, affected versions, and the upgrade path. Typical target is 30–90 days from report to public disclosure, shorter for high-severity issues, longer only when we're waiting on coordinated disclosure with a dependency.
  • Credit. If you'd like to be credited in the advisory, tell us the name, handle, or company to use. If you'd rather not be named, we will simply say "reported by an independent researcher".

Scope

In scope:

  • The PerfLocale WordPress plugin source code.
  • The bundled first-party addons under addons/ in the plugin.
  • The plugin's REST endpoints, admin pages, and frontend output when processing attacker-controlled input.

Out of scope:

  • Third-party plugins and themes that PerfLocale integrates with (report those to the respective vendors).
  • WordPress core issues (report those to WordPress's HackerOne program).
  • This marketing website (perflocale.com) - unless the issue allows attacking plugin users directly.
  • Issues that require an already-compromised administrator account, physical access to the server, or social engineering.
  • Missing security headers on static documentation pages, absent rate limiting on public blog endpoints, or similar best-practice recommendations without a demonstrable exploit.

About bounties

PerfLocale is a free, open-source plugin without a formal bug-bounty program at this time. We take every report seriously and credit researchers in published advisories, but we're not able to pay for reports. If a paid program matters to you, consider submitting eligible issues through Wordfence's bug-bounty program, which covers popular WordPress plugins including ours.

Published advisories

No security advisories have been issued to date. When any are published they will be listed here with CVE numbers where applicable, affected versions, and the fixed version.

Email security@perflocale.com