[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins
Making WordPress.org
noreply at wordpress.org
Thu Apr 20 09:28:23 UTC 2023
#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: 2nd-opinion |
------------------------------+---------------------
Comment (by yani.iliev):
**Thank you** for taking the time to write such a detailed ticket
description.
As a plugin author, I just need a way to make the vulnerability reporting
link easily accessible and visible to security reporters. As an MVP, I'd
start with just a link but make it **required**. This is similar to how
the "Support" link works for Commercial plugins.
The changelog request fails to consider that not everyone who reads the
changelog is technical and understands the scope of the issue. The
technical terms used to describe security issues can create FUD among non-
technical users.
To address this, I propose that the changelog remains simple without
creating unnecessary FUD, but includes links to the technical explanation
of a security issue and how it was fixed. Plugin authors can be provided
with a changelog template to use in their plugins.
Reporting a security vulnerability in a plugin can trigger an immediate
disabling of the said plugin from the WordPress.org plugin repo. This rule
has to change to give plugin authors time to address the issue before
taking action.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:4>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list