Preventing plugins into the directory because of a fear of security vulnerabilities is going to really hinder progress here.
Guidelines are there to guide developers and requirements for submission are there for developers to ensure their plugins meet certain minimum standards.
Good security practice is about clear education and experience.
The striving toward 100% security, or near to, is an effort in futility and will burn resources very quickly - and by resources I mean people. The enormous size of the codebase of some plugins makes it untenable to have reviews “by committee” - if you’re going to set the bar to be “as near to 100% safe as possible”, the testing for such a thing will always need to be automated.
Even then, you’re going to have security vulnerabilities. It’s the cost of doing business. A security vulnerability doesn’t “hurt” reputation in the long term really… it’s the response and handling of the vulnerability that really matters.
I feel in this discussion there’s a huge over-emphasis on security requirements and labelling, and choices/options etc. Developers vary in their competency, and so does their security handling within their code. There’s no getting around that. The WordPress plugin directory, while it has its flaws in some areas, gets the job done really well. It’s open to anyone to create and contribute and there’s no labels like “not reviewed” or “basic vulnerability reviewed”. Everyone accepts the risk that a plugin has undergone certain basic tests, or maybe not, and they get on with it.
If you want people to contribute and get involved, making the barrier to entry so high and adding complexity will defeat your purpose.
If you’re going to put requirements in place, you’ll need to make it very clear
- clear documentation on what they are
- how to meet them
- what to do if things don’t pass
- processes for updating the requirements and communicating updates.
A simple example of where none of this applies is the plugin submissions form/process.
I tried for the 2nd time to submit a plugin, using a dead link/form that’s been clearly non-functional for weeks. So I’m wasting my time doing that, then submitting forums requests, then digging around to see if I can find answers, the discovering that the guidelines to submissions are buried in the forums.
And it could have been avoided by having the dead link updated with a link to brief outline of the current guidelines and linking to the live submissions page.
My points is… if you’re going make rules and policies for developers to contribute, document and make it clear how things work before implementing them. Forums aren’t a substitute for documentation and clear guidelines.