[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins
Making WordPress.org
noreply at wordpress.org
Wed Dec 11 09:47:14 UTC 2024
#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: 2nd-opinion |
------------------------------+---------------------
Comment (by oliversild):
By law, many plugins/themes that are provided as software products (have
multiple contributors, therefore by law considered open source stewards OR
have any commercial activity and therefore by law considered
manufacturers) **are obligated to have their own vulnerability reporting
set up by early 2026**.
That being said, I think it's reasonable to ask that all WordPress plugin
repo pages should just have a button "report security vulnerability" which
must be a working hyperlink (either to their VDP program, security.txt
file, or a bug bounty program.) and should be mandatory for all new plugin
submissions as soon as possible + all existing plugins/themes should be
given time until early 2026 to add this (as demanded by the European law).
I would advise to not make some complex solution which potentially creates
even more overhead to the plugin review team and that will most likely be
replaced with something else in the future anyways.
I also recommend everyone to look at this explainer to understand better
how Cyber Resilience Act will affect open source ecosystem (including
WordPress): https://www.youtube.com/watch?v=uOk4WIFddsc
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:20>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list