Security vetting plugins

Dear all, we are implementing a number of plug ins to our NC setup but are anxious to know what others have found looking at the code and vetting it.

Is there a vetting- procedure or exchange of comments on plug ins in the NC community?



Fredrik Laurin

There is the Bug Bounty program on hackerone:

You can see the activity in the past, which plugins are included, also those included in enterprise support are probably part of some internal review processes.

For other 3rd-party app, I would be careful. There are usually repositories of each app, so you can probably check for some no-gos yourself (are commits reviewed, how many contributors, possibly with NC experience, participate, loading of external content, …).


If we find issues/identify weaknesses where should we report them? Here on help? As a new topic?


best would be here or under github for referring app

1 Like