[wp-hackers] notification of insecure plugins?

[Otto]

Also, if a plugin has a known security problem and the original author
has abandoned it or is no longer interested in updating it or is
totally unreachable or what have you, and somebody is interested in
taking it over and patching it, then we can grant commit access to it
and allow it to be updated and maintained by somebody else.

This is a special case circumstance, but it is better to have actively
maintained plugins than to have old insecure plugins sitting around in
the repository.

-Otto



On Thu, Nov 18, 2010 at 2:53 PM, Iain Cambridge <wackiebackie at gmail.com> wrote:
> Best thing to do is notify the plug-in developer. Just because they
> haven't noticed it's vulnerable doesn't mean they can't or won't patch
> it. If they do refuse to patch it, patch it yourself. If just you're
> wondering if your plug-in is vulnerable to attack check the same place
> the hackers do security sites advisories and google.
>
> Iain
>
> On Thu, Nov 18, 2010 at 8:42 PM, Patrick Laverty
> <patrick_laverty at brown.edu> wrote:
>> Is there a place where people can find out accurate information about
>> insecure plugins?  Because plugins are third-party, no one would expect the
>> core team to do anything about them.  However if I have installed a plugin
>> that is vulnerable to attack, I'd like to know about it.
>>
>> Plus, plugin developers might not even know themselves that their plugin is
>> vulnerable and some might not even care to upgrade them when they do know.
>>
>> How can I find out this information so I can then make an informed decision
>> on my plugins?
>>
>> Thanks.
>>
>> Patrick
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>