We actively support the following versions of Blitz Cache with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of Blitz Cache seriously. If you believe you have found a security vulnerability, please follow these steps to report it:
DO NOT report security vulnerabilities through public GitHub issues. Instead:
- Email: Send details to [email protected]
- PGP Key: Use our PGP key for encrypted communication
- Key ID:
0x1234567890ABCDEF - Fingerprint:
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
- Key ID:
Please include the following information in your report:
- Description: A clear description of the vulnerability
- Impact: What could an attacker do with this vulnerability?
- Reproduction: Steps to reproduce the vulnerability
- Environment:
- WordPress version
- PHP version
- Blitz Cache version
- Theme and active plugins
- Proof of Concept: Code or screenshots demonstrating the vulnerability
We are committed to working with security researchers to:
- ✅ Acknowledge receipt of your report within 48 hours
- ✅ Provide an initial assessment within 7 days
- ✅ Keep you informed of our progress
- ✅ Credit you in our security acknowledgments (if desired)
- ✅ Not take legal action against researchers who follow this policy
We ask that researchers:
- ✅ Report vulnerabilities responsibly
- ✅ Give us reasonable time to fix issues before disclosure
- ✅ Do not access user data beyond what's necessary to demonstrate the vulnerability
- ✅ Do not perform testing on production sites
- ✅ Do not publicly disclose the vulnerability until we've had a chance to fix it
Blitz Cache implements the following security measures:
- All user inputs are sanitized using WordPress sanitization functions
- URLs are validated and escaped
- Form data is properly validated
- API tokens are encrypted using AES-256-CBC encryption
- Sensitive data is never stored in plain text
- Passwords and secrets use secure hashing
- Admin functionality requires
manage_optionscapability - AJAX actions verify nonces for CSRF protection
- User permissions are properly checked
- Cache files are stored outside the web root
.htaccessrules prevent direct access to cache files- Cache directory has
index.phpto prevent directory listing - Cache files have unique MD5 hash names
- No custom SQL queries (WordPress handles all DB operations)
- When needed,
$wpdb->prepare()is used for queries
- All output is properly escaped
- User-generated content is sanitized
- WordPress escaping functions are used throughout
- Nonces are used for all state-changing operations
- AJAX requests verify nonces
- Forms include nonce fields
For users of Blitz Cache:
- Keep WordPress Updated: Always run the latest version
- Keep PHP Updated: Use supported PHP versions (8.0+)
- Strong Passwords: Use strong passwords for admin accounts
- Limited Access: Only grant necessary permissions to users
- Regular Backups: Maintain regular backups of your site
- Monitor Logs: Check WordPress debug logs regularly
- Use HTTPS: Always use SSL/TLS certificates
- Regular Updates: Keep all plugins and themes updated
We would like to thank the following security researchers who have responsibly disclosed vulnerabilities:
- Researcher Name - Vulnerability description - Date
- Researcher Name - Vulnerability description - Date
Currently, we do not offer a monetary bug bounty program. However, we:
- ✅ Publicly acknowledge security researchers (with permission)
- ✅ Provide contributor recognition
- ✅ Offer early access to new versions
- ✅ Provide security researcher badges
Our vulnerability disclosure policy follows a 90-day timeline:
- Day 0: Vulnerability reported
- Day 1-7: Initial assessment and reproduction
- Day 8-60: Development and testing of fix
- Day 61-90: Coordinated disclosure with vendor
- Day 90+: Public disclosure if vendor hasn't fixed
For security-related questions:
- Email: [email protected]
- GitHub Security: Use GitHub's private vulnerability reporting feature
Thank you for helping keep Blitz Cache and the WordPress community safe!