Responsible Disclosure

Report security issues privately and responsibly

If you identify a potential security issue in WPLURA public pages, plugin-connected flows, cloud services, or account workflows, report it safely so we can validate and remediate.

Contact Security security.txt

Reporting

What to include

Send reports to security@wplura.com with subject prefix [SECURITY]. Keep testing legal, private, and non-destructive.

Affected URL, endpoint, plugin page, account workflow, or product surface.
Clear reproduction steps, expected behavior, actual behavior, and observed impact.
Evidence such as screenshots, request samples, logs, timestamps, browser details, or proof-of-concept notes.
Whether the issue touches authentication, tenant isolation, data exposure, payment, plugin signing, backup/restore, or cloud workflow state.

Process

What happens after a report

Report

Send the issue privately through the security channel with enough detail for safe validation.

Triage

WPLURA reviews severity, affected surfaces, exploitability, customer impact, and required containment.

Remediate

Confirmed issues are fixed, verified, and coordinated with affected stakeholders where needed.

Close

Status updates are shared for valid reports, with disclosure timing coordinated responsibly.

Safe Harbor

Good-faith research expectations

Supported behavior

Good-faith research is supported when it is legal, authorized, minimally invasive, promptly reported, and avoids harm to customers, data, and services.

Out of scope

Social engineering, phishing simulations, spam, or physical testing.
Denial-of-service, load testing, destructive testing, or attempts to degrade service availability.
Accessing, modifying, deleting, or exfiltrating data that is not your own.
Testing third-party systems, customer infrastructure, or unrelated services without authorization.

Contact Support Privacy