Security Policy

Last Updated: 01.12.2025

1. Our Commitment to Security

At Sakurato.tech, we take security seriously. We implement industry-standard security practices to protect your data and ensure safe use of our WordPress plugins.

2. Security Measures

2.1 Plugin Security

• Regular Security Audits – we review code for vulnerabilities
• WordPress Coding Standards – compliance with WordPress.org security guidelines
• Data Sanitization – all user inputs are sanitized and validated
• Nonce Verification – protection against CSRF attacks
• Capability Checks – proper permission checks for admin functions
• Prepared SQL Statements – prevention of SQL injection

2.2 Data Protection

• Local Storage – all plugin data stored in YOUR WordPress database
• No External Data Transmission – we do NOT send your data to external servers (except Freemius for licensing)
• SSL/TLS Encryption – all communication uses secure HTTPS
• Password Hashing – sensitive data encrypted using WordPress standards

2.3 Public Links Security

• Unique Tokens – each public offer link uses a unique, unguessable token
• Expiration – public links expire after 30 days
• IP Tracking – basic analytics to detect suspicious activity
• No Authentication Required – clients can view offers without WordPress login

3. Responsible Disclosure

If you discover a security vulnerability in our plugins, please report it responsibly:

DO:

• Email us privately at dev@sakurato.tech
• Provide detailed steps to reproduce the vulnerability
• Give us reasonable time to fix the issue before public disclosure (we aim for 90 days)

DO NOT:

• Publicly disclose vulnerabilities before we’ve had time to fix them
• Exploit vulnerabilities for malicious purposes
• Test vulnerabilities on production websites without permission

4. Security Updates

• Critical Security Patches – released immediately upon discovery
• Regular Updates – routine security improvements with each release
• Notification – users are notified of critical security updates via WordPress dashboard

5. Third-Party Dependencies

We minimize third-party dependencies. When used, we:

• Regularly update libraries to latest secure versions
• Monitor security advisories for dependencies
• Remove unused dependencies

Current Dependencies:

• Freemius SDK (license management) – regularly updated
• Quill.js (rich text editor) – served from secure CDN

6. User Responsibilities

To keep your WordPress site secure:

• Keep WordPress Updated – always use the latest version
• Use Strong Passwords – for WordPress admin accounts
• Limit Admin Access – only trusted users should have admin privileges
• Regular Backups – back up your WordPress database regularly
• Use SSL Certificate – enable HTTPS on your website
• Security Plugins – consider using WordPress security plugins (e.g., Wordfence, iThemes Security)

7. Incident Response

In case of a security breach:

1. We will investigate and contain the issue immediately
2. We will notify affected users within 72 hours
3. We will provide guidance on mitigation steps
4. We will release a security patch ASAP

8. Compliance

Our plugins comply with:

• GDPR (General Data Protection Regulation) – EU privacy law
• WordPress.org Security Guidelines – plugin repository standards
• OWASP Top 10 – common web application security risks

9. Bug Bounty Program

We currently do NOT have a formal bug bounty program, but we appreciate responsible disclosure and will credit security researchers in release notes.

10. Contact Us

For security concerns, contact us:

• Security Email: dev@sakurato.tech
• Website: https://sakurato.tech/contact