# Security Policy

## Supported Versions

Only the latest release of each BW plugin receives security updates.

## Reporting a Vulnerability

If you discover a security vulnerability in any BW plugin:

1. **Do NOT open a public issue.**
2. Email: security@bowden.works (or contact rian directly)
3. Include: plugin slug, version, description, steps to reproduce, suggested fix if you have one.
4. We'll acknowledge receipt within 5 business days and aim to release a fix within 30 days for critical issues.

## What We Protect Against

Every release is scanned for:

- Code execution primitives: `eval`, `assert`, `base64_decode`, `system`, `exec`, `shell_exec`, `passthru`, `popen`, `proc_open`, backtick operators
- Dynamic includes: `include $var`, `require $var`
- File operations on user input: `file_get_contents($_)`, `fopen($_)`
- SQL injection: string concatenation in `$wpdb->query()`, `mysqli_query()` bypassing WordPress
- `extract()` on superglobals
- TLS verification disabled: `CURLOPT_SSL_VERIFYPEER = false`, `CURLOPT_SSL_VERIFYHOST = 0`
- Committed secrets: API keys, AWS keys, Stripe live keys, GitHub PATs, PEM private keys
- Raw superglobal access without sanitization

The scan runs as part of every release via `tools/security-scan.sh`. A weekly cron runs it against all plugins regardless of release activity.

## Update Telemetry

BW plugins check for updates at `https://plugins.bowden.works/wp-json/bw/v1/update-check`. This request logs:

- Plugin slug
- Site URL (from HTTP header)
- Installed plugin version
- WordPress version
- PHP version
- IP address
- Timestamp

We do NOT log: site content, user data, WP config, or anything identifying individual users of your site.

We use this data to:
- Know who has which version installed (so we can give support)
- Detect stale installs that may need manual attention
- Identify if there's a release problem

Future: an opt-out filter hook (`add_filter('bw_disable_update_telemetry', '__return_true');`).

## Release Integrity

Every release includes a SHA-256 hash of the zip file in the manifest. The plugin-update-checker library verifies this before installing.

## Dev Environment Security

The dev site (`bw-plugins.demoing.info`) is behind the `demoing-auth` cookie gate. The dist site (`plugins.bowden.works`) is public but:

- HTTPS-only (Caddy + Let's Encrypt)
- WordPress auto-updates for minor versions
- Strong admin passwords in `/srv/.private/secrets/`
- Limit-login-attempts or equivalent
- Weekly server-wide security audit (`srv-gw security-audit`)

## License

All BW plugins are licensed GPL-2.0-or-later.