[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins
Making WordPress.org
noreply at wordpress.org
Thu Jun 15 18:00:53 UTC 2023
#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: 2nd-opinion |
------------------------------+---------------------
Comment (by Ipstenu):
> This button should just be for a hyperlink, I don't think WordPress
should force reports to go through its own system. Many plugins use
platforms such as Hackerone, BugCrowd, Patchstack mVDP, etc. where
security vulnerabilities should be reported.
The problem here is that those people are the ''minority'' (seriously,
over 100k plugins, I promise you less than 5% use those tools, and those
who do are the ones who aren't the problem ... most of the time ;) ). So
we should default to our system unless there's an alternative provided by
the developer.
But.
If we remove the option to report via WordPress.org, then what happens if
the developer ignores the report via their designated system? Of what if
they want a report to be on their website, and the site is down?
We should always have a 'fallback' of 'report to .org'
Maybe add in a checkbox for "Yes, I tried the other route." but we have to
keep a way for .org to get notified. Maybe not default, but still.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:14>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list