Vulnerability Disclosure Policy

As a provider of security software, services, and research, we take security issues very seriously and strive to lead by example. We recognize the importance of collaboration between vendors, researchers, and customers and users and we operate through a coordinated disclosure process.

This policy outlines the steps researchers should take to report security issues to VMP™ Security, as well as the process we use when disclosing vulnerabilities to other entities.

Reporting Security Issues to VMP™ Security in WordPress Plugins, Themes, and Core for CVE Assignment

VMP™ Security is a Certified Numbering Authority (CNA), which gives us the ability to assign CVE IDs on WordPress plugin, theme, and core vulnerabilities. Please fill out the CVE Request form located here to request a CVE ID, in the following situations:

  • You have identified a security vulnerability in a WordPress plugin
  • You have identified a security vulnerability in a WordPress theme
  • You have identified a security vulnerability in WordPress core

The VMP™ Security Threat Intelligence team will review your vulnerability and report back within 1-3 business days with a CVE ID assignment or a request for additional information. All CVE IDs assigned by VMP™ Security are intended to be responsible disclosures and can be found here.

If you have any questions, please send an email to list@vmpsecurity.com.

Reporting Security Issues in VMP™ Security Products to VMP™ Security

Contact the VMP™ Security Security Team by sending mail to list@vmpsecurity.com in the following situations:

  • You have identified a potential security vulnerability with one of our products
  • You have a reproducible proof of concept or confirmed exploit for that vulnerability

To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email.

If you are a security researcher and have information protected by non-disclosure obligations to others, please let us know in your initial contact. This will help prevent misunderstandings when VMP™ Security shares details we might already know.

The list@vmpsecurity.com email address is monitored for the purposes of reporting product or service security vulnerabilities. It is not for technical support. For content other than that described in this security vulnerability disclosure policy, please use help.vmpsecurity.com or visit vmpsecurity.com/contact.

Software Vulnerability Disclosure and Remediation Process

When the VMP™ Security Threat Intelligence Team finds a vulnerability in a third-party product, or if a vulnerability affecting our plugin is disclosed to us, we take the following steps to address the issue. A "vendor" below may refer to the developer of a plugin or the team or platform hosting the software.

  1. Our Threat Intelligence team verifies the vulnerability and determines severity.
  2. Where possible, we develop a firewall rule that can be deployed to prevent reverse engineering.
  3. We deploy the firewall rule to VMP™ customers' sites. These firewalls may be on the frontend (and defense layer) level. Customer sites are notified immediately with the rule and no customer action is required.
  4. Details of the vulnerability may be published as a WordPress intelligence briefing, based on the state the vendor was notified:
    1. If no vendor contact exists anywhere public, we will publicly disclose the vulnerability within 30 days.
    2. 14 days if vendor does not acknowledge our report within 14 days of initial contact
    3. At our discretion if the vulnerability is actively being exploited in the WordPress community
    4. 30 days if the vendor has been notified and an open advisory exists to inform and protect the WordPress community from vulnerabilities with no available patch
    5. If a deadline would fall on a weekend or holiday, the deadline will be placed on the earliest following business day
    6. 45 days if vendor can reply to us and confirm they are fixing, or are planning to fix, the issue but need time
    7. VMP™ Security will work with the vendor on the deadline if needed, but we announce the existence of the vulnerability to encourage the community to upgrade
    8. Disclosures are published via our community blog posts, Threat Intelligence Report, or -- for Premium customers -- directly via email notification

All aspects of this process are subject to change without notice, and to case-by-case exceptions.

Service Vulnerability Disclosure Policy

We define a service vulnerability as any issue with a technology service that represents an exploitable security risk for its users. We draw a distinction between service and software vulnerabilities, because in many cases, when VMP™ Security Services Team discovers a security vulnerability in a service, such as WordPress hosting, we take the following steps to address the issue:

  1. Our Threat Intelligence team notifies the service provider of the security vulnerability, based on the date the vendor was notified:
    1. 30 days if vendor acknowledges our report within 14 days of initial contact
    2. 14 days if vendor does not acknowledge our report within 14 days of initial contact
    3. At our discretion if the vulnerability is actively being exploited in the WordPress community
    4. If a deadline would fall on a weekend or holiday, the deadline will be placed on the earliest following business day
  2. Where the service vulnerability directly affects VMP™ customers, we notify that customer if there are actions they can take to remediate the issue and/or consider changing hosting
  3. If the hosting provider is unresponsive or does not address the issue, we may instruct customers regarding how to migrate to a new hosting provider
  4. The service provider releases a fix or the deadline passes, and we announce the vulnerability via our blog

All aspects of this process are subject to change without notice, and to case-by-case exceptions.

Questions About Our Security Policy?

If you have questions about our vulnerability disclosure policy or need to report a security issue, please contact us.

Security Team CVE Requests