Draft Theme Directory Vulnerability Reporting Guidelines

Draft of the Theme Directory Vulnerability Reporting Guidelines based off the plugin ones. I’m not a theme expert so welcome any feedback from theme developers and others.

If you discover a security issue with a theme listed in the ClassicPress Theme Directory, we encourage responsible and reasonable disclosure of the security issue. Therefore, please do not publicly release details of the issue anywhere, as this can lead to an increase in people being hacked and rarely speeds up the resolution of the issue.

The first step in reporting a security issue with a theme , please contact the developer via their standard support channels or by sending a direct message to them on the forum. In your report, please include the following:

  • a clear and concise description of the security issue.
  • a link to the specific theme in the ClassicPress Theme Directory.
  • details of who validated the security issue.
It is also recommended to include links to any public disclosures on third party sites.

The second step in reporting a security issue you do not receive an acknowledgement from the developer in 72 hours, please email the details listed above to email [email protected].

The Theme Directory moderators will attempt to make contact with the theme developer to get the issue resolved. The theme may closed to prevent new downloads until the issue is resolved and the Theme Directory moderators. You may not receive any notifications of progress until a fix has been released.