In accordance with our responsible disclosure policy, if you believe you have found a security vulnerability on Chalk, we encourage you to contact us immediately. We will not bring any lawsuit or law enforcement investigation against you so long as you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.
The following vulnerabilities are frequently reported to us but are either not exploitable or have a very low risk.
- Anything related to standard WordPress functionality (XMLRPC API, WP-JSON API, load-scripts.php, etc.)
- Please contact WordPress in accordance with their bug bounty policy instead
- DoS on www.chalk.com
- Lack of CSP on www.chalk.com
- Password strength policy