Security patches are applied to the latest stable release only. Older major/minor branches receive critical patches at maintainer discretion.
| Version | Supported |
|---|---|
| Latest stable release | Yes |
| Older releases | Critical patches at maintainer discretion |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in Dispatch for Telex, please report it using one of the following channels:
-
GitHub Private Vulnerability Reporting — open the repository Security tab and use the Report a vulnerability button. This is the preferred channel.
-
Email — send details to
security@regionallyfamous.com. If the disclosure is sensitive, please encrypt your message using our PGP key (available on request).
Please include as much of the following information as possible to help us understand the nature and scope of the issue:
- Type of vulnerability (e.g. SQL injection, XSS, privilege escalation, CSRF)
- Full path of the source file(s) related to the vulnerability
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if available)
- Impact of the vulnerability, including how an attacker might exploit it
- Affected versions
| Milestone | Target |
|---|---|
| Acknowledgement of report | 48 hours |
| Triage and severity assessment | 5 days |
| Patch released (critical/high) | 14 days |
| Patch released (medium/low) | 60 days |
| Public disclosure (coordinated) | 90 days |
We will keep you informed at each stage and coordinate public disclosure timing with you.
The following are in scope for this policy:
- The Dispatch for Telex WordPress plugin (this repository)
- The Telex REST API endpoints registered by this plugin (
telex/v1/*) - The OAuth 2.0 device authorization flow and token storage
The following are out of scope:
- The Telex platform itself (
telex.automattic.ai) — report those to Automattic - WordPress core vulnerabilities — report those to the WordPress security team
- Vulnerabilities in third-party libraries (report to the respective project and we will update our dependency once a fix is available)
- Social engineering attacks
We follow coordinated vulnerability disclosure. We ask that you give us a reasonable amount of time to address the issue before any public disclosure. We will credit reporters in the release notes unless you prefer to remain anonymous.
For an overview of the security controls built into this plugin (AES-256-GCM token encryption, circuit breaker, audit log, SSRF protection, rate limiting), see the Security Model wiki page and Architecture wiki page.