Responsible Security Disclosure Policy for KadenceWP

Reporting Security Vulnerabilities

Kadence is proactive in preventing security issues and our software products go through rigorous evaluation with security in mind prior to release. In the event that you believe you have found a security issue, we look forward to working with you in order to create an effective fix. To protect the community of software users, it is a standard practice in security research to responsibly and privately disclose discovered vulnerabilities to the software vendor prior to public release. This is even more critical when we work together to protect users in an open source space such as the WordPress community.

Scope

Kadence develops and offers a wide range of software packages for WordPress sites including themes and plugins. These include plugins and themes offered for free on the WordPress.org repository as well as paid plugins offered on KadenceWP.com including but not limited to Kadence Shop Kit, Kadence Conversions, the Kadence Theme Pro Plugin and the Kadence Blocks Pro Plugin. If you believe you have found a security issue in one of those offerings, we look forward to working with you to ensure resolution to protect Kadence users, whether free or paid customers. 

There are many third party developers that are building solutions on top of the Kadence Blocks plugin and the Kadence theme. If you believe you have found an issue with one of these third party offerings, we can likely assist in helping you find contact information for those developers if needed so that you can establish a secure communication channel for resolution.  

Where do I report security issues?

The following products are handled through Patchstack’s managed Vulnerability Disclosure Program.

• Kadence Theme
• Kadence Blocks
• Kadence Blocks Pro

We are adding more products to the Patchstack managed Vulnerability Disclosure Program as products are updated.

For any product not listed above, Kadence participates in the Liquid Web Bug Bounty program. Please familiarize yourself with the Liquid Web bug bounty scope, process, and legal requirements detailed on that link. By reporting your findings through the secure channel of the bug bounty program with a verifiable Proof of Concept, your report can be effectively and securely handled.  

In all cases, you should not share the details with anyone else either privately or publicly until the vulnerability has been sufficiently patched. If you have a verified vulnerability, to ensure that the vulnerability is responsibly disclosed and can be tracked by the security community, we recommend requesting a CVE ID from an established CNA such as Patchstack and ensure that your CVE is scored by CVSS and entered into either the Patchstack or WPScan vulnerability database.