Security policy
Honest about what we protect against, and what we don't.
Threat model
Aetos SEO protects against three threat classes:
- Untrusted external attackers — only public endpoints (under
/.well-known/) are reachable without auth. Every admin entry point requires a logged-in admin AND a valid nonce. - Compromised admin session — admin-only features still restrict outbound URLs against loopback/private IPs (SSRF guards), validate file uploads, and refuse to write outside the WordPress tree.
- Plugin-source-extraction tampering — the server-signed remote license response is the authoritative gate. Local checks raise the bar against casual tampering.
Layered defenses
| Layer | Defends against |
|---|---|
| Server-signed Ed25519 | Network MITM, DNS spoofing, fake license endpoint, response replay |
| HMAC build tuple | Casual tampering, copy-paste bypass guides |
| Build-manifest hashes | Targeted file edits |
| Honeytoken | Bypass-guide tutorials |
| Freshness window (±36h) | Long-term replay of captured signed responses |
| Nonce ring buffer (last 8) | Alternating-nonce replay within freshness window |
| UrlValidator (A+AAAA, private-IP block) | Admin-driven SSRF |
| Atomic audit-run lock | Race-driven duplicate cron/AJAX execution |
| KB roots containment | Admin-set indexing root pointing outside the WordPress tree |
| Prompt-injection sanitizer | Indexed file content acting as LLM directives in external AI calls |
| CSV/XLSX neutralizer | Excel-DDE / formula injection via crafted finding fields |
Reporting a vulnerability
Email admin@nsrelmtagr.com with:
- Affected plugin version
- A minimal reproduction (URL, admin role, exact request)
- Your timeline preference
We aim to acknowledge within 48 hours. Please do not open a public GitHub issue or social-media post for unpatched vulnerabilities. We credit reporters in the changelog unless you prefer anonymity.
Multi-model audit history
Aetos SEO went through a 7-round audit cycle with four independent code reviewers:
- Claude Opus — initial structural audit + fix shepherding
- Gemini Pro — IPv6 SSRF, query-string nonce parser, license replay
- DeepSeek Expert — atomic-lock race, broker URL SSRF
- ChatGPT — license fail-open, KB containment, XLSX neutralizer routing
22+ findings closed across 5 patch releases. All reviewers shipped YES verdicts on v3.1.5. Full changelog: /changelog.
Hardening flags (advanced)
Customers who want to opt INTO stricter behavior or OUT of backward-compat shims
can define these in wp-config.php:
NSR_ELMTAGR_SEO_ALLOW_INSECURE_LICENSE_RESPONSE— opt out of strict response-signature requirement (legacy compat, footgun)NSR_ELMTAGR_SEO_ALLOW_DEV_MODE— let an unbuilt plugin run on a non-localhost domain (dev/QA only)
Out of scope
- Compromise of the WordPress install itself (database read, file-system write).
- State-level adversaries with the ability to mint Cloudflare Worker signatures.
- Side-channels in the host PHP/MySQL stack (Spectre, row-hammer, FS races outside our locks).