How to report security vulnerabilities or a bug?

Reporting bugs

If you feel that you have found a bug on our website or in your widget, before reporting it, please check the following:

  1. Browse our troubleshooting page first. For instance, broken images in the widget are not a bug but a result of the expired access token.
  2. If your widget behaves weirdly without any modifications on your end and you are using custom CSS for your Instagram widget, please check our blog to see if any updates were issued recently. Sometimes the HTML structure or class names change in the plugin. Blog post usually covers the modifications and gives you alternatives to use in your Custom CSS.

If you found a bug that you can’t find a solution for, nor it’s the fault of the Custom CSS and widget update, please report this bug via our Support form. Someone from our team will review your support ticket, investigate and take further actions to resolve the issue.

Reporting security issues

If you believe you have found a security vulnerability on LightWidget, we encourage you to let us know as soon as possible – we take security seriously. Our team will investigate all reports and do our best to fix the problems.

You can report security vulnerabilities directly via our Support form. Please read the entire document carefully before writing it to ensure that you can investigate the problem immediately and that it does not fall outside the scope.

During your submission, please provide us with the steps that reproduce the security issue and are easily understood. We need to be able to reproduce the issue on our end. Your submission will be reviewed and validated by our team. Although we will try to reproduce the problem and fix the bug as soon as possible, it may take some time before you will get a response.

We also ask that you give us a reasonable time to investigate the reported issue and fix the problem. We ask for responsible disclosure, not sharing information with the public or others. Please try to avoid privacy violations and disruptions to other users of our website and destroy the data.

Unless you can provide us with evidence of exploitability, we might exclude some security vulnerabilities. Here is the list of exclusions:

  • Clickjacking with no practical security impact
  • Content spoofing
  • Invalid or missing SPF/DKIM records
  • Missing cookie flags on non-sensitive cookies
  • Missing HTTP security headers
  • Open redirects with low-security impact
  • Logout and other instances of low-severity CSRF.
  • Self-XSS unless it is exploitable via reflected, stored, or DOM-based attack
  • SSL/TLS best practices and recommendations
  • Username or email enumeration on Login and Forgot Password page error messages
  • WordPress configuration recommendations or plugins recommendation for our main website
  • Vulnerabilities only affect users of outdated or unpatched browsers and platforms
  • XST

Comments (2)

  • Hello Team, just wanted to ask, are there any rewards for valid security vulnerabilities?

    prajitsindhkar01

    • LightWidget profile picture

      Hi there! We do not offer monetary rewards for vulnerability disclosures. We can offer a free widget upgrade add-on for the selected widget as a reward for discovered, valid security vulnerabilities.

      LightWidget

You must be logged in to post comments.