Please note that if you run your own WordPress installation or are a WordPress developer and think you have found a security vulnerability in API Security, follow the instructions on how to report the issue.
Although we strive to create the most secure product possible, we are not perfect. If you happen to find a security vulnerability in our product, we would appreciate letting us know and allowing us to respond before disclosing the issue publicly.
Supported Versions
The CoCart Headless Security Team believes in Responsible Disclosure by alerting the security team immediately and privately of any potential vulnerabilities. If a critical vulnerability is found in the current version of API Security, we may opt to backport any patches to previous versions.
| Version | Supported |
|---|---|
| 1.0.0 | Yes |
Reporting Security Vulnerabilities
While we try to be proactive in preventing security problems, we do not assume they’ll never come up.
It is standard practice to responsibly and privately disclose to us, a security problem before publicizing, so a fix can be prepared, and damage from the vulnerability minimized.
What is a “security” issue?
A security issue is a type of bug that can affect the security of WordPress installations.
Specifically, it is a report of a bug that you have found in the API Security code, and that you have determined can be used to gain some level of access to a site running our product that it should not have.
- Your site being “hacked” is not a security issue. The security issue will involve knowing how the attacker got in and hacked the site.
- You forgetting your password or losing access to your site is not a security issue. If you lost access through a bug in the API Security code, then that might be a security issue.
Generally, security issues are complex problems. If you want to report a security issue, then that’s great! You’re in the right place.
However, be sure that what you’re reporting is actually a security issue. The experts that you are reporting it to are very busy, and don’t usually respond to non-security issues.
The security reporting system is NOT for support. Don’t send general problems there.
Where do I report security issues?
For security issues with API Security, please submit a report at [email protected]. Include as much detail as you can.
We’re committed to working with security researchers to resolve the vulnerabilities they discover. Be Patient – Give us a reasonable time to correct the issue before you disclose the vulnerability.
In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public.
Why are there path disclosures when directly loading certain files?
This is a server configuration problem. Never enable display_errors on a production site.