Vulnerability Disclosure Policy (VDP)
Effective Date: 25/05/2025
CLH Web Security – Responsible Reporting of Security Issues
1. Purpose
CLH Web Security is committed to maintaining the security and integrity of our plugin, services, and web infrastructure. We welcome security researchers, ethical hackers, and users to responsibly report any vulnerabilities they discover.
This policy outlines how to report vulnerabilities, what we expect from reporters, and what you can expect from us.
2. Scope
This policy applies to:
- clhwebsecurity.com and all subdomains
- CLH WP Security Pro and CLH Website Security Lite plugins
- Our web scanning services and related backend systems
3. Reporting a Vulnerability
If you discover a potential security vulnerability, please report it immediately and privately via email:
📧 security@clhwebsecurity.com
(You may also CC: support@clhwebsecurity.com)
Please include:
- A clear description of the issue
- Steps to reproduce the vulnerability
- Proof-of-concept (if available)
- Your contact information (for follow-up)
4. What to Expect From Us
If you report a valid issue:
- You will receive an acknowledgment within 3 business days
- We aim to investigate and address valid reports within 15 business days
- We may contact you for further clarification or technical discussion
- You will be notified once the issue is resolved
We greatly appreciate your contribution and may publicly credit you (with your permission) once the issue is fixed.
5. Responsible Disclosure Guidelines
To ensure responsible behavior:
✅ Report the issue privately and do not disclose it publicly until it is resolved
✅ Do not exploit the vulnerability in any way (including accessing user data or systems)
✅ Do not use automated scanners or brute-force methods on production systems
✅ Do not disrupt services, degrade performance, or test in live environments unnecessarily
6. Out of Scope
The following are not considered valid under this policy:
- Reports based on outdated software versions
- Self-XSS or clickjacking on non-sensitive pages
- Missing SPF/DKIM records
- HTTP headers issues with no real impact
- Denial of Service (DoS) via load testing or brute force
7. Legal Safe Harbor
We will not pursue legal action against researchers who:
- Follow this policy in good faith
- Do not violate privacy, disrupt services, or access customer data
- Provide us a reasonable time to resolve the issue
8. Updates to This Policy
We may update this Vulnerability Disclosure Policy at any time. Updates will be posted on this page with a revised effective date.
9. Contact Us
For all security-related communications: