The Presence API is an experimental feature plugin. We take security reports seriously and ask that you give us a reasonable window to ship a fix before public discussion.

Do not open a public GitHub issue for security reports.

Use GitHub Security Advisories to report privately. We aim to acknowledge within 72 hours and to issue a patched release within 14 days of acknowledgement, faster if the issue is actively exploited.

In scope: the plugin's PHP, JavaScript, CSS, blueprints, and CI workflows in this repository.

Out of scope: WordPress core itself (report to HackerOne), hosting-layer issues, and third-party plugins that integrate with the Presence API.

Only the most recent release receives security updates. The plugin is pre-1.0; backwards-incompatible changes between minor versions are expected.