Security Policy for Freesoul Deactivate Plugins
This document outlines the security measures and policies implemented for Freesoul Deactivate Plugins to comply with the Regulation (EU) 2024/2847 on cyber resilience.
1. Scope
The security policy applies to:
- All components of the Freesoul Deactivate Plugins codebase.
- Any data processed or stored by the plugin.
- Updates and patches released for the plugin.
2. Development Practices
- Secure Coding Standards: All code is written following best practices for secure coding, including OWASP guidelines.
- Regular Code Reviews: The codebase is reviewed by a security team to identify and mitigate vulnerabilities.
- Dependency Management: Excluding jQuery that is loaded in the backend pages, the plugin has no third-party libraries. We are working to remove jQuery from Freesoul Deactivate Plugins.
Until jQuery is removed, we regularly. check that the version provided by the core of WordPress is not vulnerable.
As a default, Freesoul Deactivate Plugins implements a Content Security Policy on all the plugin backend pages to prevent external scripts from loading.
3. Product Security Requirements
3.1 Secure Configuration
- The plugin operates with the minimum privileges required.
- All default settings prioritize security, with users required to explicitly enable riskier features.
3.2 Data Protection
- Freesoul Deactivate Plugins doesn’t handle any user sensitive information.
3.3 Authentication and Authorization
- Access to plugin administrative features is restricted to users with appropriate WordPress roles and permissions.
- Nonces and capabilities check is implemented for admin-level actions.
4. Vulnerability Management
4.1 Reporting and Disclosure
- A dedicated vulnerability reporting channel is available at https://patchstack.com/database/vdp/freesoul-deactivate-plugins.
- The plugin follows a responsible disclosure policy, responding to security reports within 48 hours.
4.2 Patch Management
- Vulnerabilities are patched within 30 days of identification.
- Critical vulnerabilities are addressed immediately, and users who are subscribed to our newsletter are notified of urgent updates.
4.3 Update Mechanism
- The plugin supports automatic updates through the WordPress plugin repository.
- All updates can be realised only using a secure connection.
5. Monitoring and Incident Response
- Activity Logs: The plugin maintains detailed logs of all administrative actions for audit purposes.
- Incident Response Plan: A predefined plan is in place to handle security incidents, including:
- Notification of affected users.
- Deployment of fixes.
- Post-incident analysis.
6. Compliance and Certification
- The plugin complies with Regulation (EU) 2024/2847 requirements for cyber resilience.
- Independent security audits are conducted annually.
7. User Responsibilities
- Users must ensure WordPress core and plugins are kept up-to-date.
- Secure credentials and enable 2FA for admin accounts.
- Regularly review plugin settings to ensure compliance with their organization’s security policies.
8. Contact and Support
For security issues or inquiries, please contact us with our contact form at https://freesoul-deactivate-plugins.com/contact/.