[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins
Making WordPress.org
noreply at wordpress.org
Tue May 30 07:19:40 UTC 2023
#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: 2nd-opinion |
------------------------------+---------------------
Comment (by lanacodes):
I would definitely recommend that even in the first version there should
be trusted reporters (who are security researchers at a company, or who
already have several verified reports that they can confirm with CVE) and
average reporters.
Reports from average reporters must be moderated and approved before those
reports go to the developer.
I am sure that average users would fill out the form and submit the report
due to a malfunction or bug in the plugin. This needs to be made difficult
for them.
I think that security reporters should also be encouraged to first try to
contact the developer, either by email or via the contact form on the
developer's website. There may be strange cases when the plugin developer
has a different email address than the one he uses at wp.org, and he does
not receive the reports, while the developer can be reached at the email
address indicated in the description or elsewhere.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:11>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list