[wp-meta] [Making WordPress.org] #7259: Add a "Report a vulnerability" button/link to plugin repo pages

Making WordPress.org noreply at wordpress.org
Fri Sep 22 05:52:39 UTC 2023 

#7259: Add a "Report a vulnerability" button/link to plugin repo pages
------------------------------+---------------------
 Reporter:  mrfoxtalbot       |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |
------------------------------+---------------------

Comment (by oliversild):

 Replying to [comment:9 Otto42]:
 > Replying to [comment:8 oliversild]:
 > > This needs to become a standard in the WordPress ecosystem as it is
 elsewhere in the wider open-source space.
 >
 > Please, point us to where this is actually a standard. Any URL,
 documentation, or anything you want that shows that this is a standard in
 the "open source space".

 Happy to do that. I think when we look at open-source content management
 systems (most similar to WordPress), then a great example is **Drupal**.
 In the Drupal modules library, each module page has a dedicated link to
 report security vulnerabilities, like that:
 https://www.drupal.org/project/webform
 [[Image(https://i.imgur.com/fvyRXYk.png)]]

 Another open-source content management system similar to WordPress is
 Joomla. They also have standard way for reporting security vulnerabilities
 for **Joomla** extensions (This example is not the best way to do it
 actually (at least for WordPress). They have single security point of
 contact for all extensions, which can work for them, but not in the scale
 that WordPress has): https://extensions.joomla.org/vulnerable-
 extensions/submit-a-report/
 [[Image(https://i.imgur.com/DQZpqWq.png)]]

 When we look beyond content management systems, but stay in the open-
 source PHP ecosystem, then another example is **Packagist**. They all have
 a separate section for "Security Vulnerabilities" where the developers can
 set their own security point of contact (I think that's the way WordPress
 should do it as well). Example:
 https://packagist.org/packages/laravel/laravel
 [[Image(https://i.imgur.com/ggxUD4q.png)]]
 [[Image(https://i.imgur.com/4LJUtAK.png)]]

 I hope that helps.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/7259#comment:11>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list