Security Policy

1. Introduction

I take the security of wpguy.uk seriously. If you believe you have found a security vulnerability on this site, I want to know about it. This policy explains what to report, how to report it, and what you can expect in return.

This policy applies to wpguy.uk and all subdomains (*.wpguy.uk).

2. Scope

The following are in scope for responsible disclosure:

• ◆ Cross-site scripting (XSS)
• ◆ Cross-site request forgery (CSRF)
• ◆ SQL injection or other injection vulnerabilities
• ◆ Authentication or authorisation bypass
• ◆ Sensitive data exposure
• ◆ Server-side request forgery (SSRF)
• ◆ Security misconfigurations with a meaningful impact

3. Out of Scope

The following are explicitly out of scope:

• ◆ Social engineering, phishing, or physical access attacks
• ◆ Denial of service (DoS or DDoS)
• ◆ Automated scanning output submitted without manual validation
• ◆ Vulnerabilities in third-party services or infrastructure not under my control
• ◆ Missing security headers considered low-severity without a demonstrated exploit
• ◆ Theoretical vulnerabilities without a proof of concept

4. How to Report

Send your report to security@wpguy.uk. Please include:

• ◆ A clear description of the vulnerability
• ◆ The URL or endpoint affected
• ◆ Steps to reproduce, or a proof of concept
• ◆ The potential impact as you assess it

The more detail you provide, the faster I can assess and respond.

5. What to Expect

I work Monday to Thursday. Within those hours:

• ◆ Acknowledgement within 5 business days of receipt
• ◆ An initial assessment of severity and scope within 10 business days
• ◆ A status update at least every 30 days until the issue is resolved or closed

I will let you know when a fix has been deployed. I do not operate a bug bounty programme.

6. Safe Harbour

If you conduct security research against wpguy.uk in good faith and in accordance with this policy, I will not pursue legal action against you and will not refer your activity to law enforcement.

Good faith means:

• ◆ You report the issue to me promptly and do not exploit it beyond what is necessary to demonstrate it
• ◆ You do not access, modify, or delete data that is not your own
• ◆ You do not perform denial of service testing
• ◆ You allow reasonable time for a fix before any public disclosure

I ask for coordinated disclosure — please do not publish details of a vulnerability publicly until I have had the opportunity to address it.

7. Acknowledgements

If you report a valid, in-scope vulnerability and would like to be credited, I will acknowledge you by name (or pseudonym) on this page once the issue is resolved. Let me know your preference when you report.