We build security into our products, ensuring that your privacy (and that of your customers) is always protected along the way. Our security policy is a living, breathing specification that we continuously adapt as necessary.
Security Policy #
The source code for all of our Craft CMS plugins is available for everyone to examine (and learn from) on GitHub. While we accept code contributions through pull requests, only our core team may actually modify code, and only after carefully reviewing and testing changes. We ensure the integrity of our plugins using both manual and automated testing tools.
If a vulnerability is ever discovered in any of our plugins, we will fix it and release an update immediately. Plugin updates are instantly available through the Craft Plugin Store. If necessary, we will mark an update as urgent, which prompts users to update in the control panel and sends email notifications to users of the Sherlock security plugin (recommended).
Reporting a Vulnerability #
- Your name and whether you represent a company or organisation.
- Where exactly the vulnerability exists and how you discovered it.
- The exact steps that can be taken to replicate the security exploit.
Please do not submit reports from automated tools or scanners, nor theoretical attacks without proof of exploitability.
We will acknowledge receipt of your vulnerability report as soon as possible (generally within one business day) and update you regularly as we investigate it. During this time, we ask that you do not disclose anything contained within your report publicly, until we have had a sufficient amount of time to respond.
We don’t offer a bug bounty program, however, we will reward vulnerability reports that reveal serious security issues and that are reported in line with our guidelines.
We retain as little personally identifiable data about our users as possible. Since our plugins are sold through the Craft Plugin Store, that is where all account and license data ends up being stored. We store records of license numbers and the email addresses that were used to purchase them for internal usage only, such as generating reports and providing support. If you contact us via email then we may store those email exchanges so that we can reference them and help you again in future.