With the Plugin Directory now having plugins added, it’s probably time to finalise the guidelines. Below is a draft of the vulnerability reporting guidelines.
If you discover a security issue with a plugin listed in the ClassicPress Plugin Directory, we encourage responsible and reasonable disclosure of the security issue. Therefore, please do not publicly release details of the issue anywhere, as this can lead to an increase in people being hacked and rarely speeds up the resolution of the issue.
The first step in reporting a security issue with a plugin, please contact the developer via their standard support channels or by sending a direct message to them on the forum. In your report, please include the following:
- a clear and concise description of the security issue.
- a link to the specific plugin in the ClassicPress Plugin Directory.
- details of who validated the security issue.
It is also recommended to include links to any public disclosures on third party sites.
The second step in reporting a security issue you do not receive an acknowledgement from the developer in 72 hours, please email the details listed above to email [email protected].
The Plugin Directory moderators will attempt to make contact with the plugin developer to get the issue resolved. The plugin may closed to prevent new downloads until the issue is resolved and the Plugin Directory moderators. You may not receive any notifications of progress until a fix has been released.