Here’s a first draft of the security policy for plugins:
We are pleased to provide this plugin directory both as a convenience to our users and to support those developers who have created plugins designed to work with ClassicPress.
Just as ClassicPress takes a security-first approach, we ask that developers who submit plugins for listing in the directory take the same approach. If we identify a potential security problem with any of the plugins listed, we will:
notify the developer of the potential problem;
flag the plugin as potentially insecure within the ClassicPress dashboard of those users with the plugin installed;
remove the plugin from the directory while a code review is conducted; and
flag as potentially insecure all other plugins in the directory that have been created by the same developer while a code review is conducted for each of them.
Once an affected plugin passes code review, it will be eligible for reinstatement in the directory without being flagged as potentially insecure.
Plugin developers who are found to have included a security problem with malicious intent will be banned from having any of their plugins listed in the directory.
Anyone who believes that they have discovered a security problem with a plugin listed in the directory should report the issue as soon as possible to EMAIL ADDRESS. Such reports should NOT be made in the support forums. Any report of a security problem made in the forums will be removed.
In every instance, what constitutes a security problem, code review, or malicious intent are matters exclusively for the forum moderators and the ClassicPress security team leader to determine. Their decision is final.