While hopefully the Plugin Directory will improve the process of reporting vulnerability and other security issues in plugins soon, in the meantime people still need to be able to report them and its clear that they don’t know how in many cases. So we put together this quick guide on doing that based on our experience from reporting the vulnerabilities we have discovered as well as lots of others publicly disclosed security issue that no one bothered to report to a party that could get it resolved.
You have two major options to report the vulnerability either contacting the developer of the plugin directly or contacting the Plugin Directory.
Contact the Developer
If you think the vulnerability needs to addressed quickly the best route is to contact the developer directly. We often found that it will be addressed within a day, by comparison when contacting the Plugin Directory it can takes days for them to review the report and then pass it along to the developer to get started on fixing the issue. Since the Plugin Directory will remove a plugin from the directory once a security problem has been found there can then be additional time between the vulnerability being fixed and the users get access to the new version.
The biggest problem with contacting the developer directly is finding a contact. While some plugins make that easy through a website connected to the plugin, others don’t have that or don’t provide a contact from their website. In cases where there is a website but no contact method provided there, we have found the contact email listed in the WHOIS data for the website’s domain name often works well for getting a hold of the developer. You can also post on the plugin’s support forum on the Plugin Directory to try to find out how to contact them.
Contact the Plugin Directory
If you can’t get a hold of the developer that way or you don’t get any response (our experience is that often occurs) then you can notify the Plugin Directory by emailing firstname.lastname@example.org. More details of what they are looking for in the report can found here.
Not Sure If You Found a Vulnerability or Other Security Issue
If you found something that you are not sure is a vulnerability or other security issue, you can get in touch with us. We can double check if it is fact a legitimate issue and we can take care of getting it reported to the proper place if you would like.