Security and disclosure
Security in our product is our priority, making sure everyone can use our product safely. However, as we are managing and making use of multiple platforms beside our WordPress plugin, a security issue could slip in via different ways.
Have you found a security issue or do you have concerns? Please read this page with care.
When you have found a security issue/databreach, do not abuse the issue and do not download any more (potential, but not limited to) sensitive data then strictly needed to prove the issue. Do not damage any of our systems/servers/platforms in any way to prove a security issue but contact us instead.
Before posting about the problem publicly
Do not post security issues publicly before we can confirm the issues have been fixed, or in case of a security issue in our WordPress plugin, the mainstream of our customers (both free and paid) have updated the plugin to a version where the issue has been fixed and cannot be abused.
Additional conditions regarding to issues in our WordPress plugin
We do have security high on our list and will make sure to stay in contact after we have published an update. Publishing a post about the security issue should be discussed with us and we will only approve a post when we can confirm most of our customers that have our plugin installed have actually updated the plugin to the new version.
Where we are interested in
As we are working with multiple platforms, issues could potentially slip in everywhere. We keep our systems, platforms and servers up-to-date.
We are interested in:
- Security concerns regarding to user or customer data.
- Security issues regarding to our public hosted WordPress plugin: https://wordpress.org/plugins/buttonizer-multifunctional-button/
- Security issues regarding to our website: https://buttonizer.pro/
- Security issues regarding to our Buttonizer Community: https://community.buttonizer.pro/ . In case of a vulnerability inside the Flarum software, we will proceed to contact the Flarum Foundation as well regarding to their bug policy.
- Security issues regading to our API (like bypassing API security, cross-site scripting (XSS) or server-side code execution): https://api.buttonizer.pro/
- Security issues regarding to the SDK or API from our partner Freemius. In this specific case we will bring you in contact with them.
- Potential security issues regarding to our selfhosted Sentry bug tracker or potential server issues. Please also read their Security & Compliance.
- Potential security issues or concerns regarding to our email.
Have you found an issue that does not match the above criteria, but you think you need to report it anyway? Do not hesistate, but before reporting, please also check the ‘Where we are not interested in‘.
Where we are not interested in
However, there might also be issues where we might not be interested in. You could report these issues, but we might do not take any issues immediately or may choose not to reward you.
We are not interested in:
- Issues with any of our public WordPress development environment subdomains that are used for testing purposes (dev, 4-9, 5-0, 5-1, 5-2 etc). Those subdomains do not contain any personal or customer data.
- Issues regarding to possible social engineering.
- Issues regarding to SSL or DNS.
- Issues regarding to client sites not related to Buttonizer. Contact them instead.
Have you found a potential security issue and you reported this? Depending on the severity of the vulnerability we can choose to reward you in different ways we will decide.
For example, as we are a small company we may decide (but are not strictly limited) to reward you with one or more Buttonizer lifetime licenses, worth $74 each.
If we receive multiple reports from different people about the same issue, we’ll only reward the first person.
We will only reward in case of strictly following our security guideline on this page.
Reporting the issue
In case you have found a (potential) security issue, do not hesistate and please contact us inmediately on firstname.lastname@example.org with the subject similar to “Security issue regarding to [site/software/platform]“.
We monitor this email account constantly and we will try to reply as soon as possible, even outside office hours when it comes to security.
Important additional information:
- You might receive an auto-reply email outside office hours on reply.
- Please also aknowledge we are a Dutch company from The Netherlands, our timezone is Europe/Amsterdam (CEST).