We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
Please DO NOT file a public issue for security vulnerabilities.
Instead, please send an email to: [email protected]
Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (if available)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability within 5 business days
- Resolution: We will work to resolve critical issues within 30 days
- Disclosure: We will coordinate with you on responsible disclosure
We believe in responsible disclosure. We ask that you:
- Give us reasonable time to investigate and fix the issue
- Do not publicly disclose the vulnerability until we've had a chance to fix it
- Do not exploit the vulnerability for malicious purposes
When using WP Env:
- Environment Variables: Never commit sensitive values to version control
- Production Settings: Use appropriate environment detection in production
- Access Control: Restrict access to configuration files
- Regular Updates: Keep WP Env and dependencies updated
- Audit Logs: Monitor environment variable access in production
WP Env includes several security features:
- Sensitive Key Protection: Automatic detection and protection of sensitive keys
- No Cache for Secrets: Sensitive values are never cached
- WordPress Integration: Follows WordPress security best practices
- Type Safety: Strict typing reduces injection risks
- This library reads environment variables and WordPress constants
- Sensitive data should be properly protected at the system level
- Use appropriate file permissions for .env files
- Consider using WordPress's built-in secret management where applicable
For security-related questions or concerns:
- Email: [email protected]
- GitHub: @frugan-dev
We appreciate the security research community's efforts in responsibly disclosing vulnerabilities. Security researchers who help us improve WP Env will be acknowledged in our security advisories (with their permission).