[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins

Making WordPress.org noreply at wordpress.org
Fri Apr 21 14:06:44 UTC 2023 

#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
 Reporter:  dd32              |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:  2nd-opinion       |
------------------------------+---------------------

Comment (by yani.iliev):

 Replying to [comment:7 dd32]:
 > Replying to [comment:5 fearzzzz]:
 > > Many developers seem ashamed of their lack of knowledge, of their
 mistakes, and this has its consequences on many internal processes. But
 silence or ignoring security issues only makes the situation worse.
 >
 > I think this is a key part of the issue, no developer writes 100% secure
 code all the time, but equally, no developer ever really wishes to admit
 that. Part of the problem is that while developers may understand this,
 users of plugins may not, and it's their opinion that matters for plugin
 authors.
 > But equally, there are often security fixes that are more of a
 'hardening' change - something that is technically a vulnerability
 (perhaps often viewed by the author as nothing but a nitpick) but yet so
 extremely unlikely to actually ever be used to against a site, and that
 the fear of simply mentioning 'security' drives fear into authors.

 As a plugin developer, the reluctance to mention 'security' in a changelog
 is often driven by the fear, uncertainty, and doubt that it may instill in
 users, rather than an unwillingness to admit mistakes. To create a more
 welcoming atmosphere, penetration testers and security researchers should
 consider improving their public image. This could involve adopting more
 approachable profile images, usernames, and communication styles, which
 currently can appear intimidating or off-putting.

 A more inclusive approach to addressing security issues could include
 labeling them simply as "Security" and providing detailed descriptions on
 a separate page for advanced users, interested in more information. This
 could encourage better adoption by users with varying levels of security
 knowledge by simplifying the information presented to them.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:9>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list