[wp-meta] [Making WordPress.org] #7259: Add a "Report a vulnerability" button/link to plugin repo pages
Making WordPress.org
noreply at wordpress.org
Fri Sep 8 09:05:01 UTC 2023
#7259: Add a "Report a vulnerability" button/link to plugin repo pages
------------------------------+---------------------
Reporter: mrfoxtalbot | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: |
------------------------------+---------------------
Comment (by fearzzzz):
Replying to [comment:5 oliversild]:
> I think forcing plugin developers to set up security point of contact
(which btw is already required by law in some EU countries) is a great and
lowest effort way to get them think about security and take
responsibility.
Someone has to enforce and track this requirement, otherwise it makes no
sense. A similar example is maintaining a change log by developers.
Everyone does what they want, and in the security field even this little
thing creates different problems.
> There should be a "Report a security issue" button, 100%, but it should
be customisable link to their vulnerability disclosure policy,
security.txt, bug bounty program, etc.
Yes, and we need some kind of backup option here in case the developers:
- indicate incorrect data;
- will lose their domain (quite common case);
- will not respond to incoming requests (x2 quite common case).
> WordPress.org should not force researchers to report vulnerabilities to
the Plugin Team, because it will clash with the plugins vulnerability
disclosure policies and bug bounty programs.
I think exactly the same, but WordPress.org won't be able to force
''researchers'' to do something. Companies - maybe, but not researchers.
On the part of researchers, participation in all these procedures is a
gesture of goodwill, when everything could happen according to a different
scenario (and we have a well-known examples how exactly this could be).
What if developers doesn't have their own VDPs and can only solve these
security related issues through the WordPress Plugins team?
> It's also a unwanted overhead for the WordPress volunteers and it's not
reasonable for WordPress.org to cover vulnerability triage for 60K+
vendors.
One way or another, someone should control the process in case things
aren't going smoothly and the problem needs to be solved.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7259#comment:6>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list