I’d like to add 2 points to the discussion:
- Plugin ownership change
You should add a rule regarding change of ownership. Plenty of times when WordPress plugins changed hands, new owners updated plugins with malicious code causing nothing but trouble. Display Widgets plugin is one example.
Maybe ownership change should trigger code review, but not at the commit when new owner is listed, but a randomly picked version in near future.
And, if plugin is found to have malware, it will be rolled back to a clean version but bumped up in version number to trigger update notifications. Removing infected plugin from repo doesn’t remove plugins from infected sites, which is what happened with Display Widgets. There needs to be a better way to mitigate this for users.
- Abandoned plugins
There needs to be a policy for abandon plugins. First, at a certain point they should no longer be available (3-4 years without updates maybe). Second, it would be good to have a policy to re-assign ownership of an abandoned plugin to a willing and verified developer to take over maintenance of the plugin. Original owner should be contacted 3 times, and if they don’t respond or they do agree to it, then ownership will be reassigned. I think something like this was discussed before for WP few years back, I vaguely remember it.
- Bonus: Limit liability
As any agreements, you should limit CP’s liability. WP doesn’t have anything, but that doesn’t change the fact that all agreements should have limited liability/discalimer clauses. It should at least limit CP’s liability when plugin is removed and developer suffers profit loss, so they can’t sue. It sounds crazy, until it happens. I’d rather be crazy than sued 