With our service you get alerted if any of the WordPress plugins you have installed have a vulnerability in the installed version. You can also see what vulnerabilities they have had in other versions, which is something you might use to determine if you should continue you using it. The problem with trying to do that is that isn’t always easy. If you are not dealing with this type of thing on a regular basis there is good chance you wouldn’t have the knowledge as to what security issues are of little concern and what ones are a major concern going forward. You also would have dig in to see if the developer has a pattern of not responding in a timely fashion when a vulnerability is discovered, which can have a significant impact on whether the vulnerability will get exploited. Since we already come in contact with that type of information, we thought it would be useful to start using the knowledge we are collecting to make it easier to find out if security practices of plugin developers are lacking by putting out advisories for developers that have serious issues.
With our service you get an email alert if an installed plugin has a vulnerability in the version you are using (the alert is also shown on the Installed Plugin page). In cases where the vulnerability hasn’t been fixed in a newer version of the plugin by the time we become aware of it we take steps to rectify that, because alerting you of a vulnerability without a solution has limited usefulness. We first try to get in touch with the developer to make sure they have been made aware of the issue (often they haven’t) and offer to help them fix it. In cases where that isn’t possible or doesn’t work our next step is to notify the people running the WordPress Plugin Directory. At that point the plugin is usually removed from the directory pending a fix. While that will often get the developer to deal with the issue (and quickly), it doesn’t always.