[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins

Making WordPress.org noreply at wordpress.org
Tue May 30 07:19:40 UTC 2023

#6939: Reporting Security vulnerabilities in plugins
 Reporter:  dd32              |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:  2nd-opinion       |

Comment (by lanacodes):

 I would definitely recommend that even in the first version there should
 be trusted reporters (who are security researchers at a company, or who
 already have several verified reports that they can confirm with CVE) and
 average reporters.

 Reports from average reporters must be moderated and approved before those
 reports go to the developer.

 I am sure that average users would fill out the form and submit the report
 due to a malfunction or bug in the plugin. This needs to be made difficult
 for them.

 I think that security reporters should also be encouraged to first try to
 contact the developer, either by email or via the contact form on the
 developer's website. There may be strange cases when the plugin developer
 has a different email address than the one he uses at wp.org, and he does
 not receive the reports, while the developer can be reached at the email
 address indicated in the description or elsewhere.

Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:11>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list