[wp-meta] [Making WordPress.org] #6909: Internal Messaging Between Users (and how to gate it)
Making WordPress.org
noreply at wordpress.org
Fri Mar 31 14:03:39 UTC 2023
#6909: Internal Messaging Between Users (and how to gate it)
-----------------------------+--------------------
Reporter: mrfoxtalbot | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone:
Component: Profiles | Keywords:
-----------------------------+--------------------
There are several scenarios were a (well vetted) internal messaging system
would facilitate communication among contributors but I want to focus on
security reports to illustrate why I think we should explore this.
Most plugin vulnerabilities are discovered by or reported to sec
researchers who are not part of the plugin review team. Depending on the
impact of the threat, researchers will first try to contact the plugin
author to inform them about the threat before the issue is escalated to
the plugins team for their attention. See
[https://meta.trac.wordpress.org/ticket/1690 #1690].
The problem is that researchers often struggle to find a valid method to
contact plugin authors. Allowing some kind of internal messaging would
make this process a lot easier.
**Vetting Internal Messaging**
The idea to implemente some type of internal messaging system has always
been around and it goes back as [https://meta.trac.wordpress.org/ticket/10
#10] but concerns about spamming, harassing and such have always been
raised (and rightly so).
There are several approaches we could explore to create this "safe" email
list in order to minimize abuse:
- Anyone can completely opt-out of receiving emails from other users.
- Only profiles that have existed for X amount of time and have Y number
of badges can contact other accounts.
- The notifications emails would include a link that would allow the
recipient to report it as spam. After a set number of reports, that user
would be blocked from sending more messages.
As a very raw MVP solution that would recycle existing infrastructure, we
could leverage the email forwarding system we use to onboard users into
Slack (in my case mrfoxtalbot at chat.wordpress.org). Currently those emails
will only forward messages coming from specific emails but we could
conceivably add "safe" email accounts to that list.
Props to @javiercasares for bringing up this idea during WC Torrelodones.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6909>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list