This page is a draft document for how to handle various scenarios regarding security issues with extensions.
- The Extension directory has a service that warns admins about available upgrades, but does not alert when the upgrade is a security upgrade.
- CiviCRM blog posts for important updates (same as for when CiviCRM core has a security announcement).
Working with maintainers
- Contact maintainers privately, since Gitlab "private issues" are visible to anyone with "reporter" level.
- If the maintainer is not responsive, remove the extension from the directory (unpublish the node, or unpublish the releases?).