Security Policy
Agentic Daisy takes security seriously. This policy covers how to report vulnerabilities in WebCalendar for WordPress and what to expect after you do.
Supported Versions
Only the latest release receives security patches. If you are running an older version, please update before reporting.
| Version | Supported |
|---|---|
| Latest 1.x release | Yes |
| Older releases | No |
Reporting a Vulnerability
Do not file security issues as public GitHub issues or WordPress.org support topics.
Email security@agenticdaisy.com with:
- A description of the vulnerability
- Steps to reproduce or a proof of concept
- The affected version(s)
- Any suggested fix (optional)
What to Expect
72 hrs
Acknowledgment
We confirm receipt of your report within 72 hours.
1 week
Assessment
We verify the issue and determine its severity.
90 days
Resolution
We aim to fix confirmed vulnerabilities within 90 days. If more time is needed, we communicate a revised timeline.
Disclosure Policy
We follow coordinated disclosure:
- Reporter notifies us privately via security@agenticdaisy.com.
- We confirm the issue and develop a fix.
- We release the fix and publish a security advisory on agenticdaisy.com.
- Reporter may publish details after the advisory is public.
Scope
In Scope
- Authentication or authorization bypass
- SQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Remote code execution
- Path traversal or local file inclusion
- Information disclosure (credentials, PII, internal paths)
- REST API access control issues
- Privilege escalation via calendar permissions
Out of Scope
- Denial of service (unless trivially exploitable)
- Issues in third-party dependencies (report to the upstream project)
- Issues requiring physical access to the server
- Social engineering
- Vulnerabilities in WordPress core (report to WordPress HackerOne)
Credit
We credit reporters in the security advisory and release notes unless they prefer to remain anonymous. Let us know your preference when reporting.