Responsible Security Disclosure Policy for Ninja Forms

Reporting Security Vulnerabilities

While we try to be proactive in preventing security problems, unfortunately it is inevitable that security flaws will be discovered in all software, including our own. It is standard practice in open source to responsibly and privately disclose to the vendor — in this case Saturday Drive, the developers of Ninja Forms — a security problem before publicizing, so a fix can be prepared, and we can take proactive steps to protect the users of Ninja Forms.

What is a “security” issue?

A security issue is a type of bug that can affect the security of WordPress installations.

Specifically, it is a report of a bug that you have found in the code for Ninja Forms or add-ons for Ninja Forms, and that you have determined can be used to gain some level of access to a site running Ninja Forms that you should not have.

Please keep in mind, there are many 3rd-party add-ons for Ninja Forms that we do not develop. If you have found a vulnerability in a 3rd-party add-on for Ninja Forms, while we likely can’t fix it, it’s likely we know who can and want to help keep the Ninja Forms ecosystem healthy.

Where do I report security issues?

If you would like to contact us with a security vulnerability or possible vulnerability, please contact us via email — security@saturdaydrive.com. This address can be used for reporting vulnerabilities for any Saturday Drive product including Ninja Forms, SendWP and Caldera Forms. Please do not use this email for support.

In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public. If you have a verified vulnerability, to ensure that the vulnerability is responsibly disclosed and can be tracked by the security community, we recommend requesting a CVE ID and entering it in the WPScan Vulnerability Database