[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins
Making WordPress.org
noreply at wordpress.org
Wed Dec 11 08:13:01 UTC 2024
#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: 2nd-opinion |
------------------------------+---------------------
Comment (by dd32):
Let's take a scaled back MVP approach to automate ''some'' of the work
that the plugin security team is currently having to do.
Similar to #7259.
MVP:
- A report form exists '''accessible to trusted users only'''. Reporters
who we will trust ''blindly'' to report valid issues only.
- Upon a report being received:
- Store details in CPT.
- Notify plugin author, CC the plugins team (for awareness).
- Start a 7/31 day countdown. (<10k installs: 7 day; >=10k installs: 31
day)
- Allow plugins team to cancel this timer (inc. Marking as resolved)
- Upon the countdown being exceeded:
- If the plugin was last_updated <= security reported time
- Close the plugin, as security. (if Plugin install count < 100k, if
greater: alert plugins team)
- Email the plugin author, and CC'ing plugins team, as a FYI
- If the plugin has been updated:
- Email the plugins team, for verification.
Further Iterations:
1. Allow plugin author to acknowledge issue (Maybe that grants >7d
timer?); and mark as resolved (Such that plugin security team can confirm
and pre-emptively cancel auto-close).
2. Open form to lesser-trusted people; with the report being made as
`unverified` which does not trigger automated workflows. Possibly linked
publicly as per #7259, but with heavy suggestion of "Not for Support".
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:18>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list