Responsible Disclosure

Continuing the discussion from Plugin ratings + formula + filtering principles:

Following this, what/if any systems should we have in place to support responsible disclosure. Ideally both plugin moderators and plugin developers would get notified of vulnerabilities so we could start penalizing ratings (as discussed in the linked thread).


For General Users

A simple form that CCs its submission to the relevant developer and the moderators could suffice. After reporting issues, users could be “debriefed” to ensure they understand what to do (and what not to do) after they report. The moderator could also email the developer, to connect the dots (i.e, make sure the message was received,) and a plan of action can be shared with the moderator at that time

We’re working on a fix and expect a patch to roll in 72 hours.

For Developers

Responsible disclosure for developers (about their own plugins) could probably be handled in the same way. Once the fix was implemented, you would also want to see a non-vague note in the changelog about the specific issue being fixed. For developers that attempt to hide or otherwise obscure an issue, I’d probably hit them with a pretty harsh penalty as that behavior would greatly erode trust in the ecosystem.