Add the security "Report Plugin" button in Marketplace

Other “marketplaces” (VS Code/VS plugins, browser extensions, Google Workplace extensions, you name it) have a Report button, and reports are always promptly acted upon with due diligence. Logseq Marketplace has a “buy me a coffee” button, which is highly valuable, as it’s a simple and straightforward way to support the developers of highly usable extensions. But please, please, please add a button to report a vulnerable plugin and institute a quick security review procedure. Logseq’s “privacy” focus, the feature that’s touted the loudest, currently goes out of the window as soon as a single plugin is installed from the loosely curated Marketplace.

Related: https://discuss.logseq.com/t/marketplace-show-updates-new-plugins-and-themes/5271. The ability to read the plugin’s licence, TOS and other legalese, should it change in an updated version, is a security feature.

X-Ref: GitHub: How to report a security‒vulnerable plugin registered in the Marketplace? (logseq/marketplace#578). It’s unclear how to report a vulnerability privately to the curator. This must be exceptionally prominent and easy to find.

Any issue calling out the plugin here, in Discord or in GitHub? I see that you have asked this on GitHub. but was wondering what is stopping you from mentioning the plugin name?

This would be totally unethical. Security issues, as a general rule, aren’t disclosed publicly.

2 Likes

Welcome to the community and thank you for suggesting a “Report plugin” button @cy.kkm, I think that’s needed for sure.

As for the malicious plugin: can you please DM me or send an email to support@logseq.com with the name of the plugin and a link to its GitHub repo?

I’d be the initial contact for an issue like this, or @Charlie. We need to have a clearly documented process for this, and a reporting button would help a lot indeed.

Edit: We’re adding a “Report plugin” button to the Marketplace ASAP. I’ve also added a snipped to the README of the Marketplace repo (though a button will be crucial for end users, of course). Again, thank you for bringing this up @cy.kkm :pray:

2 Likes

Welcome! Excellent post. I agree on the importance of this. Thank you for bringing it up.

1 Like

I’ve just sent a detailed e-mail to the support address. I don’t have enough majick mojo on this forum to send DMs.

Thank you very much for your quick attention to the issue!

Kudos for the swift action!

2 Likes