Security Policy for Freesoul Deactivate Plugins

This document outlines the security measures and policies implemented for Freesoul Deactivate Plugins to comply with the Regulation (EU) 2024/2847 on cyber resilience.

1. Scope

The security policy applies to:

• All components of the Freesoul Deactivate Plugins codebase.
• Any data processed or stored by the plugin.
• Updates and patches released for the plugin.

2. Development Practices

• Secure Coding Standards: All code is written following best practices for secure coding, including OWASP guidelines.
• Regular Code Reviews: The codebase is regularly reviewed to identify and mitigate vulnerabilities.
• Dependency Management: Excluding jQuery that is loaded in the backend pages, the plugin has no third-party libraries. We are working to remove jQuery from Freesoul Deactivate Plugins.
  Until jQuery is removed, we regularly check that the version provided by the core of WordPress is not vulnerable.
  The plugin minimizes external dependencies and relies primarily on WordPress core components.
  As a default, Freesoul Deactivate Plugins implements a Content Security Policy on all the plugin backend pages to prevent external scripts from loading.

3. Product Security Requirements

3.1 Secure Configuration

• The plugin operates with the minimum privileges required.
• All default settings prioritize security, with users required to explicitly enable riskier features.

3.2 Data Protection

• The plugin does not intentionally process sensitive personal data.

3.3 Authentication and Authorization

• Access to plugin administrative features is restricted to users with appropriate WordPress roles and permissions.
• Nonces and capabilities check is implemented for admin-level actions.

4. Vulnerability Management

4.1 Reporting and Disclosure

• A dedicated vulnerability reporting channel is available at https://patchstack.com/database/vdp/freesoul-deactivate-plugins.
• The plugin follows a responsible disclosure policy, responding to security reports within 48 hours.

4.2 Patch Management

• Vulnerabilities are patched within 30 days of identification.
• Critical vulnerabilities are addressed immediately, and users who are subscribed to our newsletter are notified of urgent updates.

4.3 Update Mechanism

• The plugin supports automatic updates through the WordPress plugin repository.
• All updates are delivered over secure connections (HTTPS).
• Security updates are provided for the latest version of the plugin.

5. Monitoring and Incident Response

• Activity Logs: The plugin maintains detailed logs of all administrative actions for audit purposes.
• Incident Response Plan: A predefined plan is in place to handle security incidents, including:
  • Notification of affected users.
  • Deployment of fixes.
  • Post-incident analysis.

6. Compliance and Certification

• The plugin is designed to align with the principles of Regulation (EU) 2024/2847 (Cyber Resilience Act).
• Security reviews are conducted regularly to identify potential vulnerabilities.
• The plugin benefits from external vulnerability research programs such as Patchstack.

7. Known Limitations

While the plugin is designed with security in mind, improper configuration or conflicts with third-party plugins may introduce unexpected behavior.

8. User Responsibilities

• Users must ensure WordPress core and plugins are kept up-to-date.
• Secure credentials and enable 2FA for admin accounts.
• Regularly review plugin settings to ensure compliance with their organization’s security policies.
• Users are responsible for maintaining a secure hosting environment.

9. Contact and Support

For security issues or inquiries, please contact us with our contact form at https://freesoul-deactivate-plugins.com/contact/.
Alternatively, vulnerabilities can be reported via email: [email protected]