[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins
Making WordPress.org
noreply at wordpress.org
Thu Dec 12 01:12:34 UTC 2024
#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: 2nd-opinion |
------------------------------+---------------------
Comment (by dd32):
Replying to [comment:19 JavierCasares]:
> What happens if the plugin has a way to report security issues? For
example, I use the GitHub reporting, or Patchstack has its own form for
some plugins...
For now, that won't be covered by the MVP. Initially the form will only be
available to trusted reporters who otherwise email plugins at . It's assumed
that the verifier has already exhausted methods of contacting the plugin
author (At least, they ''claim'' to, but often obvious contact methods are
missed).
Regardless; The plugins team should still use the same close-as-security
workflows if the plugin author hasn't resolved a report within a
reasonable timeframe.
Simply handing off security reporting to a 3rd-party reduces the ability
for WordPress.org to ensure that only secure plugins are distributed here.
Replying to [comment:20 oliversild]:
> By law, many plugins/themes that are provided as software products (have
multiple contributors, therefore by law considered open source stewards OR
have any commercial activity and therefore by law considered
manufacturers) **are obligated to have their own vulnerability reporting
set up by early 2026**.
Then we have over a year to get to that point, where plugins can define
their reporting method OR a further iteration of the MVP can provide them
with a way to have it reported via W.org.
> That being said, I think it's reasonable to ask that all WordPress
plugin repo pages should just have a button "report security
vulnerability"
Agreed. But there is not a current location we can direct all plugins to,
nor can we just have a form that emails the plugins team without some
automation in place.
> which must be a working hyperlink (either to their VDP program,
security.txt file, or a bug bounty program.) and should be mandatory for
all new plugin submissions as soon as possible
It's not viable for a lot of plugin authors to setup those options, nor do
we want to require them to use one of the very few commercial companies
who are currently in this space.
Additionally, we need functionality that can support the 60k+ plugins that
exist today, many of which will not be updated again.
I'm not against a required field ''in the future'', but we cannot have a
required field until WordPress.org itself can provide the functionality.
WordPress.org is a ''hosting platform for plugins'' it is not a
marketplace or pure 'directory'. We provide plugins the tools they need,
that is one of the benefits of ''hosting'' with us. We provide
VCS/Translations/Distribution/Code Review/Plugin Security Reporting at
present, and it's that latter one there where currently it's a manual
process that we have to automate more.
> I would advise to not make some complex solution which potentially
creates even more overhead to the plugin review team and that will most
likely be replaced with something else in the future anyways.
This is overhead that we already have, due to Security Vendors emailing us
vulnerabilities every day, often that are not user-affecting and where the
plugin author would've been otherwise contactable.
This is not about legal requirements, this is not about forcing plugin
authors to do better, this is not about forcing plugin authors to have a
way to be told about vulnerabilities, this is about reducing the number of
emails that the plugins security reps have to manually process and respond
to every day.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:22>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list