On the topic of security, the conditions of no warranty and limitation of liability as stated in our GPLv3 license (see LICENSE.md) stand valid, unless differently specified in a commercial agreement.
We recommend our users update to the latest release of our plugins on a regular basis, at least 3 or 4 times a year. When a critical security update is released, it's important to react swiftly, and schedule an update as soon as possible.
We notify our users about critical security updates via email (there's an opt-in in the download page). Alternatively, our users shoud periodically check the changelog found on the same download page.
On behalf of the ReadonlyREST team, thank you for reporting a vulnerability. You are awesome.
Please do not report vulerabilities or suspected vulnerabilities in any public channels including our forum or Github. Instead, send the information using the below template, along with any other information you feel is pertinent to: support at readonlyrest dot com (or a forum DM).
Please report security vulnerabilities by filling out the following template:
* PROJECT: Name of the product or service, with a URL to project's repository when available.
* PUBLIC: Please let us know if this vulnerability has been made or discussed publicly already, and if so, please let us know where.
* DESCRIPTION: Please provide precise description of the security vulnerability you have found with as much information as you are able and willing to provide.
In addition, you may request that the project provide you a patched release in advance of the release announcement, however, we can not guarantee that such information will be provided to you in advance of the public release and announcement. However, wee will email you at the same time the public announcement is made.
We will let you know within two business weeks whether or not your report has been accepted or rejected. In the interest of our user community, we ask that you please keep the report confidential until we have made a public announcement.