Hi everyone,
About a year ago I established a policy that we would publish security advisories if there's no expectation of getting them fixed through our private process.
https://jenkins.io/security/#vulnerabilities-in-plugins
Today, I did that once again, in a somewhat popular plugin, and for the first time for a medium severity vulnerability:
https://jenkins.io/security/advisory/2017-10-23/#scp-publisher-plugin-stores-jenkins-credentials-unencrypted-on-disk-round-trips-in-unencrypted-form
For reference, all previous ones (AFAIR) were for much more serious arbitrary code execution vulnerabilities.
I have not tried reaching out to any potential maintainers in this case, the last release was seven years ago, the last activity of any kind four years ago. Even if there is "a maintainer", they're not doing a lot of maintenance.
If you have feedback to share, please do, here or in private.
Thanks!
Daniel