Our Commitment

HumanSlop.org conducts automated security and code-quality audits of publicly distributed WordPress plugins. We believe developers deserve a fair opportunity to fix vulnerabilities before they are publicly disclosed. This policy outlines how we handle findings, timelines, and communications.

Disclosure Timeline

Upon completing an audit, we notify the developer via all available channels (plugin author email, WordPress.org support forum, and GitHub if applicable). Our disclosure schedule is:

• Day 0 — Immediate publication: Non-security findings (code quality, standards violations, performance issues) are published immediately. Security finding counts are noted but details are withheld.
• Day 30 — Summary publication: High-level descriptions of security issues are published (e.g. "SQL injection in search handler") without exploit details.
• Day 90 — Full disclosure: Complete technical details of all security findings are published regardless of patch status. This deadline is firm.

The 90-day deadline is non-negotiable. If a developer has not responded or patched by day 90, users deserve to know.

Hall of Fame

Developers who fully remediate all findings before the Day 90 deadline are added to our Hall of Fame with a tier based on speed of response: Gold (<7 days), Silver (7–30 days), Bronze (31–90 days).

What We Do Not Do

• We do not accept payment to suppress or delay findings.
• We do not file CVEs or GitHub Security Advisories without first giving the developer 30 days to respond.
• We do not publish working proof-of-concept exploit code.
• We do not audit plugins with fewer than 500 active installs or those not updated in the last 12 months.

Contact

If you are a developer with questions about an active audit, or believe we have made an error, contact us at disclosure@humanslop.org. We respond within 5 business days.

If you believe you have identified a security issue in our own infrastructure, please report it to the same address.