Information for Security Researchers

If you have discovered a vulnerability in one of our products we want to hear from you as soon as possible. Please gather as much information together as you can so we can work quickly to address it. Here’s a checklist of the details we’d like to see.

  1. Severity (high, medium, low)
  2. Vulnerability Type: e.g., DoS, Overflow, XSS, CSRF, etc
  3. Exploitation Requires Authentication?: yes/no
  4. Version(s) of Gravity Forms (or Add-On) affected
  5. A description of the vulnerability
  6. Do you have reason to believe the vulnerability is being exploited?
  7. Are details of an exploit publicly available? If so, please provide us with a URL.
  8. What is the potential impact? How do you envisage it being used in an attack scenario?
  9. DREAD score, if known.
  10. CVE Identifier / Reference / Advisory Number, if applicable.
  11. If you wish to be credited for the responsible disclosure in the release announcement and the change log, please let us know. If you plan to disclose details of the vulnerability, please do let us know so we can coordinate the timing of the disclosure together.
  12. Any additional comments.

If you are a customer please open a support ticket as soon as possible and make it clear in the subject that your are reporting a security vulnerability.

If you are not a customer send all the details to We have developers in a few time zones so don’t assume you have to leave it till the morning.

We’ll acknowledge receipt as soon as we’ve read it. If confirmed we’ll plan a patch and let you know when we plan to release it.