This repository is a boilerplate. Security updates are provided on a best-effort basis on the default branch.
If you are using this boilerplate for a real deployment, you are responsible for:
- Updating WordPress core (via Composer in Bedrock)
- Updating PHP / base container images
- Applying security updates to plugins/themes you add
Please do not open a public GitHub issue for security reports.
Preferred: use GitHub Security Advisories for private disclosure.
- Go to the repository page on GitHub
- Click Security
- Click Report a vulnerability
If GitHub private reporting is not available, you may contact the maintainers by opening an issue asking for a private contact channel (do not include sensitive details).
We aim to:
- Acknowledge receipt within 7 days
- Provide a remediation plan or fix within 30 days (when feasible)
Timelines may vary depending on severity and available maintainer bandwidth.