[wp-meta] [Making WordPress.org] #6939: Reporting Security vulnerabilities in plugins

[Making WordPress.org]

#6939: Reporting Security vulnerabilities in plugins
------------------------------+---------------------
 Reporter:  dd32              |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:  2nd-opinion       |
------------------------------+---------------------

Comment (by Ipstenu):

 > The correct solution would be that the plugins team should not be
 bothered at all by this. In fact, this has been told to us in the past by
 the reps. of plugin review team that security reports should be sorted out
 between the reporter and the plugin author. Why create a workflow that
 gravitates the behaviour in the opposite direction?

 Because at the end of the day, if a plugin is insecure and the developer
 ignores the reporter (or is not reachable), then the Plugin Review Team
 has the job of closing the plugin. But that also includes the
 responsibility to _confirm_ the report is accurate/worth actioning on (you
 know very well how wrong those reports can be, Oliver :D )

 Historically the number of people who actually do reasonably inform
 developers about issues and get it fixed instead of running to report to
 plugins are such a small slice of the pie, it's laughable. And, in
 fairness, asking the common user to hunt down the 'right' way to contact
 developers. Which is WHY I agree that a `security.txt` or even just a
 header in the plugin like 'usewpsecurity: true` would be immeasurably
 helpful. It gets us that 'here's your place to report' sign up and
 running.

 But the plugin team _still needs to know_ because the developers may be
 non-responsive.

 If the plugins aren't being fixed, they need to be closed. And sadly
 someone has to do that.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/6939#comment:24>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org