# Security Policy ## Supported Versions We provide security updates for the following versions: | Version | Supported | | ------- | ------------------ | | 1.0.x | :white_check_mark: | Only the latest minor version receives security updates. We strongly recommend always running the latest version. ## Reporting a Vulnerability We take security seriously. If you discover a security vulnerability in MTS Social Auto Post, please report it responsibly. ### How to Report **Do NOT open a public GitHub issue for security vulnerabilities.** Instead, please email us directly at: **info@monirtechsolutions.com** ### What to Include Please provide as much information as possible: 1. **Description**: A clear description of the vulnerability 2. **Impact**: What could an attacker do with this vulnerability? 3. **Reproduction Steps**: Detailed steps to reproduce the issue 4. **Affected Version(s)**: Which version(s) are affected 5. **Potential Fix**: If you have suggestions for fixing the issue 6. **Your Contact**: How we can reach you for follow-up questions ### Example Report ``` Subject: [SECURITY] SQL Injection in Post Log Description: The post log filtering feature is vulnerable to SQL injection via the 'status' parameter. Impact: An authenticated administrator could potentially extract or modify database contents. Steps to Reproduce: 1. Navigate to Social Auto Post > Post Log 2. Modify the URL parameter: ?status=' OR '1'='1 3. Observe the modified query results Affected Versions: 1.0.0 Suggested Fix: Use $wpdb->prepare() for the status parameter in get_logs() method. ``` ## Response Timeline We aim to respond to security reports promptly: | Stage | Timeline | |-------|----------| | Initial Response | Within 48 hours | | Issue Confirmation | Within 5 business days | | Fix Development | Depends on severity | | Patch Release | As soon as fix is ready | | Public Disclosure | After patch is released | ### Severity Levels | Severity | Description | Response Time | |----------|-------------|---------------| | Critical | Remote code execution, privilege escalation | 24-48 hours | | High | SQL injection, XSS, authentication bypass | 1 week | | Medium | Information disclosure, CSRF | 2 weeks | | Low | Minor issues, best practice improvements | Next release | ## Security Best Practices ### For Users 1. **Keep Updated**: Always run the latest version 2. **Strong Passwords**: Use strong WordPress admin passwords 3. **Limit Admin Access**: Only grant admin access to trusted users 4. **Secure Hosting**: Use a reputable hosting provider with security features 5. **SSL/HTTPS**: Always use HTTPS on your WordPress site 6. **Token Security**: Never share your Facebook Access Token publicly ### For the Plugin We follow these security practices: - **Input Sanitization**: All user input is sanitized - **Output Escaping**: All output is properly escaped - **Nonce Verification**: All forms use WordPress nonces - **Capability Checks**: Admin functions verify user capabilities - **Prepared Statements**: All database queries use `$wpdb->prepare()` - **Encrypted Storage**: Sensitive credentials are encrypted at rest ## Responsible Disclosure We believe in responsible disclosure: 1. **Report Privately**: Send reports to our security email 2. **Allow Time**: Give us reasonable time to fix the issue 3. **No Exploitation**: Do not exploit the vulnerability beyond testing 4. **Coordinated Disclosure**: We will coordinate public disclosure timing ## Recognition We appreciate security researchers who help keep our users safe. With your permission, we will: - Credit you in the release notes - Add you to our security acknowledgments - Provide a letter of acknowledgment if requested ## Contact **Security Email**: info@monirtechsolutions.com **PGP Key**: Available upon request for encrypted communications For non-security issues, please use [GitHub Issues](https://github.com/AjeebBhai/mts-social-auto-post/issues). --- Thank you for helping keep MTS Social Auto Post and its users safe!