[wp-meta] [Making WordPress.org] #7259: Add a "Report a vulnerability" button/link to plugin repo pages

Making WordPress.org noreply at wordpress.org
Thu Sep 21 06:50:03 UTC 2023 

#7259: Add a "Report a vulnerability" button/link to plugin repo pages
------------------------------+---------------------
 Reporter:  mrfoxtalbot       |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |
------------------------------+---------------------

Comment (by oliversild):

 "Someone has to enforce and track this requirement, otherwise it makes no
 sense. A similar example is maintaining a change log by developers.
 Everyone does what they want, and in the security field even this little
 thing creates different problems."

 You can quite easily enforce it by asking plugin developers to give a link
 or email of their "security point of contact". You should not be able to
 submit a new plugin without doing this. You could also enforce it on
 existing plugins in a way that they can't release a new update without
 having the security point of contact added. Older plugins that have not
 yet added their own link or email for security point of contact should
 have the button fall-back to WP.org plugin team.

 "Yes, and we need some kind of backup option here in case the developers:
 indicate incorrect data;
 will lose their domain (quite common case);
 will not respond to incoming requests (x2 quite common case)."

 This I think is out of scope. All WP.org can do is add a disclaimer that
 the security point of contact link/email needs to be accessible and it
 should be possible to reach out to the plugin dev. regarding security
 issues at all times. If for some reason this is not the case (email
 bouncing back, URL broken, etc.), then the plugin is failing with the
 requirements and should get closed (if it's not getting fixed).

 "I think exactly the same, but WordPress.org won't be able to force
 researchers to do something. Companies - maybe, but not researchers. On
 the part of researchers, participation in all these procedures is a
 gesture of goodwill, when everything could happen according to a different
 scenario (and we have a well-known examples how exactly this could be)."

 Yes, you can't force security researchers to do anything. All you can do
 is make reporting vulnerabilities as easy and straightforward as possible,
 so they don't disclose the vulnerabilities elsewhere (which is bad for the
 plugin developer and for the entire WordPress ecosystem).

 "What if developers doesn't have their own VDPs and can only solve these
 security related issues through the WordPress Plugins team?"
 They should have. If they don't have a VDP, then at least they they should
 have a separate security point of contact form or an email. This needs to
 become a standard in the WordPress ecosystem as it is elsewhere in the
 wider open-source space.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/7259#comment:8>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list