Compliance · Security

Security & Vulnerability Disclosure

Last updated: April 29, 2026.

1. Reporting a vulnerability

If you discover a security issue affecting Pantry Suite or any data flowing through it, please report it to the shop owner via the Etsy storefront contact form for elfatimishop. Acknowledgement within seventy-two hours; remediation timeline depends on severity.

Please do not publicly disclose the issue until a fix has been deployed. We will credit responsible disclosure in release notes if the reporter wishes to be named.

2. In scope

• The public landing surface at this domain.
• The local administrative application (CPT, hardening, REST endpoints registered by the theme).
• Any handling of OAuth tokens issued by the Etsy Open API.

3. Out of scope

• Etsy.com itself — report Etsy infrastructure issues to Etsy directly.
• Third-party services referenced for fonts (Google Fonts) or images (Etsy CDN).
• Vulnerabilities in unmodified WordPress core — report upstream to WordPress.
• Reports requiring a non-default WordPress configuration outside what this theme ships.

4. Operational controls

• Content Security Policy — nonce-based script-src; scripts must carry a per-request nonce.
• HSTS — enforced when served over TLS.
• X-Frame-Options — DENY.
• Referrer-Policy — strict-origin-when-cross-origin.
• Permissions-Policy — camera, microphone, geolocation disabled.
• OAuth tokens — stored on the operator workstation only, in a permission-restricted file; never transmitted to any non-Etsy host.
• XML-RPC, author archives, REST user enumeration, feeds — all disabled at the application level.

5. Cryptography & OAuth

• OAuth 2.0 with PKCE (code challenge S256).
• state parameter validated on callback.
• Refresh tokens rotated on use.
• No long-lived client secrets in client-side code.

6. Safe-harbour

Good-faith research that complies with this policy will not result in legal action. Please test only against accounts and shops you own.