[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins

Making WordPress.org noreply at wordpress.org
Fri Apr 21 18:21:00 UTC 2023 

#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
 Reporter:  dd32              |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:  2nd-opinion       |
------------------------------+---------------------

Comment (by fearzzzz):

 Replying to [comment:7 dd32]:
 > But equally, there are often security fixes that are more of a
 'hardening' change - something that is technically a vulnerability
 (perhaps often viewed by the author as nothing but a nitpick) but yet so
 extremely unlikely to actually ever be used to against a site, and that
 the fear of simply mentioning 'security' drives fear into authors.
 Yup, agree with you. Maybe this case can be solved by additional reference
 information with examples?

 Replying to [comment:9 yani.iliev]:
 > As a plugin developer, the reluctance to mention 'security' in a
 changelog is often driven by the fear, uncertainty, and doubt that it may
 instill in users, rather than an unwillingness to admit mistakes.
 How can this scare users and customers if the vulnerability is fixed? That
 is, in fact, the plugin has become better and safer.
 I assume that these are the consequences of silence on security issues. If
 so, then sooner or later it will still have to be done. Don't be afraid of
 any security issues, we need to talk about it.

 > To create a more welcoming atmosphere, penetration testers and security
 researchers should consider improving their public image. This could
 involve adopting more approachable profile images, usernames, and
 communication styles, which currently can appear intimidating or off-
 putting.
 NGL, for the first time in my life I hear such an opinion. Is this your
 personal experience as a plugin developer?

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:10>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list