Security and disclosure
Security in our product is our priority, making sure everyone can use our product safely. However, as we are managing and making use of multiple platforms besides our WordPress plugin or other apps, a security issue could slip in via different ways.
Have you found a security issue or do you have concerns? Please read this page with care.
When you have found a security issue/data breach, do not abuse the issue and do not download any more (potential, but not limited to) sensitive data than strictly needed to prove the issue. Do not damage any of our systems/servers/platforms in any way to prove a security issue, but contact us instead.
Before posting about the problem publicly
Do not post security issues publicly before we can confirm the issues have been fixed, or in case of a security issue in our WordPress plugin, the mainstream of our customers (both free and paid) have updated the plugin to a version where the issue has been fixed and cannot be abused.
Additional conditions regarding to issues in our WordPress plugin
We do have security high on our list and will make sure to stay in contact after we have published an update. Publishing a post about the security issue should be discussed with us and we will only approve a post when we can confirm most of our customers that have our plugin installed have actually updated the plugin to the new version.
Where we are interested in
As we are working with multiple platforms, issues could potentially slip in anywhere. We keep our systems, platforms and servers up-to-date.
We are interested in:
- Security concerns regarding user or customer data.
- Security issues regarding our public hosted WordPress plugin: https://wordpress.org/plugins/buttonizer-multifunctional-button/
- Security issues regarding our website: https://buttonizer.pro/
- Security issues regarding our Buttonizer Community: https://community.buttonizer.pro/Â . In case of a vulnerability inside the Flarum software, we will proceed to contact the Flarum Foundation as well regarding their bug policy.
- Security issues regarding our API (like bypassing API security, cross-site scripting (XSS) or server-side code execution): https://api.buttonizer.io/
- Security issues regarding the SDK or API from our partner Freemius. In this specific case we will bring you in contact with them.
- Potential security issues regarding our self-hosted Sentry bug tracker or potential server issues. Please also read their Security & Compliance.
- Potential security issues or concerns regarding our email.
Have you found an issue that does not match the above criteria, but you think you need to report it anyway? Do not hesistate, but before reporting, please also check the ‘What we are not interested in‘.
What we are not interested in
However, there might also be issues where we might not be interested. You could report these issues, but we may not act on these immediately.
We are not interested in:
- Issues with any of our public WordPress development environment subdomains that are used for testing purposes (dev, 4-9, 5-0, 5-1, 5-2 etc). Those subdomains do not contain any personal or customer data.
- Issues regarding possible social engineering.
- Issues regarding SSL or DNS.
- Issues regarding client sites not related to Buttonizer. Please contact them instead.
Reporting the issue
In case you have found a (potential) security issue, do not hesistate and please contact us inmediately on [email protected] with the subject similar to “Security issue regarding to [site/software/platform]“.Â
We monitor this email account constantly and we will try to reply as soon as possible, even outside office hours when it comes to security.