Dear Security Expert – A Friendly Note From Our Inbox

security reports note

Every week, like clockwork, our inbox fills up with messages from well-meaning individuals (and some less so) alerting us to “critical” issues they’ve uncovered on our website or platform. It’s become such a regular event that we’re tempted to give these emails their own folder – or maybe even a fan club! 😁

Let us be clear: we genuinely appreciate the time and effort people take to look for potential security vulnerabilities. Real security threats are serious, and we take them that way. However, we’ve noticed a growing trend where many of these reports follow a predictable, copy-paste format, often generated by automated scanning tools. It’s starting to feel a bit like bug bounty Mad Libs.

Once in a while, we do receive a report that uncovers a real, verifiable issue – and for those, we’re truly grateful. But the majority tend to focus on things like generic HTTP headers, CORS configurations, or cache control settings. These aren’t security flaws, just technical preferences that have been debated in developer circles since forever.

Answering every one of these messages takes time – a lot of time. Especially when some of these “experts” start demanding payments for their “services,” and when we politely decline, they threaten to drag our name through the social media mud. At that point, it feels less like a security report and more like a thinly veiled extortion attempt. (Just saying – bug bounty programs shouldn’t feel like hostage negotiations.)

So, to save everyone some time and energy, here’s a friendly PSA for anyone planning to contact us about a security concern:

✅ What we are interested in:

  • Clearly replicable vulnerabilities
  • SQL injection
  • Account takeover possibilities
  • Data exfiltration scenarios
  • Anything that poses a genuine risk to our users or system

❌ What we’re not looking for:

  • CORS warnings like “Wildcard with Credentials Exposure Risk”
  • Generic HTTP header checklists
  • Cache policy “improvements”
  • Vague claims like “Credential Disclosure via Intercepted HTTP Request” when no actual credentials are exposed

And just to set expectations:

If a report highlights something relevant, we’ll absolutely get back to you. If you don’t hear from us, please don’t take it personally; it just means the report didn’t meet the threshold of a real security concern.

We truly appreciate those who approach security with good intentions and professionalism. We respect your time, and we hope you’ll do the same for ours.

Warm regards,
The ShortPixel Team

Andrei Alba
Andrei Alba

Andrei Alba is a support specialist and writer here at ShortPixel. He enjoys helping people understand WordPress through his easily digestible materials.

Articles: 59

Related Posts