Plugins that do not run on legacy PocketMine versions are not going to be catered for. Only ones that work on the latest version are accepted.
Security vulnerabilities should first be reported to the plugin developer. The plugin developer shall contact us to get the advisory published. However, if the plugin developer is not responsive, you may also contact us directly, after which we will decide whether to suspend or to update the plugin.
Security vulnerabilities shall be reported by email to mailto:poggitbot@gmail.com or mailto:team@pmmp.io . After the corresponding vulnerabilities have been fixed and released, we will publish an advisory in this repository, and probably in PocketMine's official advisory server in the future.