[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins
Making WordPress.org
noreply at wordpress.org
Thu Jun 15 18:09:23 UTC 2023
#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: 2nd-opinion |
------------------------------+---------------------
Comment (by oliversild):
Replying to [comment:14 Ipstenu]:
> > This button should just be for a hyperlink, I don't think WordPress
should force reports to go through its own system. Many plugins use
platforms such as Hackerone, BugCrowd, Patchstack mVDP, etc. where
security vulnerabilities should be reported.
>
> The problem here is that those people are the ''minority'' (seriously,
over 100k plugins, I promise you less than 5% use those tools, and those
who do are the ones who aren't the problem ... most of the time ;) ). So
we should default to our system unless there's an alternative provided by
the developer.
>
> But.
>
> If we remove the option to report via WordPress.org, then what happens
if the developer ignores the report via their designated system? Of what
if they want a report to be on their website, and the site is down?
>
> We should always have a 'fallback' of 'report to .org'
>
> Maybe add in a checkbox for "Yes, I tried the other route." but we have
to keep a way for .org to get notified. Maybe not default, but still.
I agree. Default option can be a WordPress.org form. It should just not be
the forced way as in some countries we even have regulations in place that
companies need to have their own responsible disclosure program and in
these cases many would want to point to a security.txt on their site or to
a bug hunting platform. Additional thought is that some might not feel
comfortable if the security reports are passed through any third-party, so
they would wish to link to their own form for privacy reasons.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:15>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list