This document will discuss how we handle security while developing and maintaining Paid Memberships Pro and its related Add Ons. There are many things you can do to keep your WordPress site secure, but this document is focused solely on our development practices, how to notify us of a security vulnerability, and other frequently asked questions about our security processes.
Best Practices for Secure WordPress Development
We follow the best practices for secure plugin development published by the core WordPress development team. Specifically, all of our shipped code goes through a code review process that ensures that:
- Capability checks are used when appropriate.
- All input values are sanitized.
- All output values are escaped.
- Nonces are used when appropriate.
Reporting a Security Vulnerability
If you have found a vulnerability in our site, the PMPro plugin, or any of our Add Ons, we appreciate the responsible disclosure of that vulnerability.
Please submit your bug report with as much detail as possible to our contact form. Be sure to mention that you are reporting a security vulnerability issue.
Frequently Asked Questions
Do you have a bug bounty program?
We do not have an official bug bounty program. However, we have paid rewards for security disclosures in the past and will pay rewards for security disclosures if requested. The size of the reward will be set at our discretion and will be based on the severity of the bug reported.
What about PCI Compliance?
Do you have regular security audits?
We do not regularly have third party security audits. We review our code internally before pushing it out through official channels.
We have in the past hired outside developers to perform security audits and may do so in the future.
Paid Memberships Pro and all of our Add Ons are open source software. We encourage others to get involved in the development of the software, including from a security perspective.