Yesterday, we noted in a post that a third-party library used in a very popular WordPress plugin didn’t have any listed security advisories in its GitHub project despite the developing having acknowledge that a vulnerability had been fixed. What we also noted in passing was that there also wasn’t a security policy provided for the library, which would explain how to report other security issues in the library. You can see that in this screenshot for the library’s Security tab on GitHub:

The lack of a security policy seemed like something worth noting in the information we provide about libraries included in WordPress plugins through our Plugin Security Scorecard. So we added checking on that to the software that generates the data about known libraries included with WordPress plugins. So far, we have information on 144 libraries (all of which have GitHub projects). Of those, 79 of them lack a security policy. So over half of the libraries we have added so far are missing that.

Looking at a few examples of those providing a security policy and those not, there appears to be a correlation between better security handling and providing one. For example, Automattic has a security policy for their libraries, but StellarWP doesn’t.

We would recommend plugin developers check if libraries they are using have security policy and if they don’t recommend that the developers of the libraries add one. They also might want to consider switching to libraries that provide one when possible. Everyone else can check if plugins they are using libraries with security policies or not by checking the plugins through our tool (assuming we have already added the libraries to our data set).