{"id":12700,"date":"2025-04-14T12:17:43","date_gmt":"2025-04-14T10:17:43","guid":{"rendered":"https:\/\/shortpixel.com/blog\/?p=12700"},"modified":"2025-04-14T12:34:36","modified_gmt":"2025-04-14T10:34:36","slug":"security-reports-note","status":"publish","type":"post","link":"https:\/\/shortpixel.com\/blog\/security-reports-note\/","title":{"rendered":"Dear Security Expert \u2013 A Friendly Note From Our Inbox"},"content":{"rendered":"\n

Every week, like clockwork, our inbox fills up with messages from well-meaning individuals (and some less so) alerting us to \u201ccritical\u201d issues they\u2019ve uncovered on our website or platform. It’s become such a regular event that we’re tempted to give these emails their own folder – or maybe even a fan club! \ud83d\ude01<\/p>\n\n\n\n

Let us be clear: we genuinely appreciate the time and effort people take to look for potential security vulnerabilities. Real security threats are serious, and we take them that way. However, we’ve noticed a growing trend where many <\/em>of these reports follow a predictable, copy-paste format, often generated by automated scanning tools. It\u2019s starting to feel a bit like bug bounty Mad Libs.<\/p>\n\n\n\n

Once in a while, we do receive a report that uncovers a real, verifiable issue – and for those, we\u2019re truly grateful. But the majority tend to focus on things like generic HTTP headers, CORS configurations, or cache control settings. These aren\u2019t security flaws, just technical preferences that have been debated in developer circles since forever.<\/p>\n\n\n\n

Answering every one of these messages takes time \u2013 a lot of time. Especially when some of these \u201cexperts\u201d start demanding payments for their \u201cservices,\u201d and when we politely decline, they threaten to drag our name through the social media mud. At that point, it feels less like a security report and more like a thinly veiled extortion attempt. (Just saying \u2013 bug bounty programs shouldn\u2019t feel like hostage negotiations.)<\/p>\n\n\n\n

So, to save everyone some time and energy, here\u2019s a friendly PSA for anyone planning to contact us about a security concern:<\/p>\n\n\n\n

\u2705 What we are<\/em> interested in:<\/h3>\n\n\n\n
    \n
  • Clearly replicable vulnerabilities<\/li>\n\n\n\n
  • SQL injection<\/li>\n\n\n\n
  • Account takeover possibilities<\/li>\n\n\n\n
  • Data exfiltration scenarios<\/li>\n\n\n\n
  • Anything that poses a genuine risk to our users or system<\/li>\n<\/ul>\n\n\n\n

    \u274c What we\u2019re not<\/em> looking for:<\/h3>\n\n\n\n
      \n
    • CORS warnings like \u201cWildcard with Credentials Exposure Risk\u201d<\/li>\n\n\n\n
    • Generic HTTP header checklists<\/li>\n\n\n\n
    • Cache policy \u201cimprovements\u201d<\/li>\n\n\n\n
    • Vague claims like \u201cCredential Disclosure via Intercepted HTTP Request\u201d when no actual credentials are exposed<\/li>\n<\/ul>\n\n\n\n

      And just to set expectations: <\/p>\n\n\n\n

      If a report highlights something relevant, we\u2019ll absolutely get back to you. If you don\u2019t hear from us, please don\u2019t take it personally; it just means the report didn\u2019t meet the threshold of a real security concern.<\/p>\n\n\n\n

      We truly appreciate those who approach security with good intentions and professionalism. We respect your time, and we hope you\u2019ll do the same for ours.<\/p>\n\n\n\n

      Warm regards,
      The ShortPixel Team<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

      Every week, like clockwork, our inbox fills up with messages from well-meaning individuals (and some less so) alerting us to \u201ccritical\u201d issues they\u2019ve uncovered on our website or platform. It’s become such a regular event that we’re tempted to give these emails their own folder – or maybe even a fan club! \ud83d\ude01 Let us […]<\/p>\n","protected":false},"author":22,"featured_media":12702,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-12700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-updates-and-news"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/posts\/12700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/comments?post=12700"}],"version-history":[{"count":13,"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/posts\/12700\/revisions"}],"predecessor-version":[{"id":12714,"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/posts\/12700\/revisions\/12714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/media\/12702"}],"wp:attachment":[{"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/media?parent=12700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/categories?post=12700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shortpixel.com\/blog\/wp-json\/wp\/v2\/tags?post=12700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}