One of the requirements to get your vulnerable extension marked as resolved is that you publish a security release announcement on your website. However we have noticed that developers often seem to have trouble with understanding what this means.

So what does it mean? We do not have a standard format for this, however we do ask that any reasonably intelligent person reading the notice would understand that there is a new version available, that it is a security release, and that users need to update. Moreover this information should not be buried at the bottom of a page listing all the wonderful features of your extension. You can see a good example here for Joomla. You will note the use of the eye-catching graphic. You will note also that the very second sentence says:-

This is a security release for the 3.x series of Joomla! This release fixes two low level security issues.

The combined effect is that the reader will be in no doubt that it is a security release.

 

What other information do I need to give?

None.

We don't ask that you give away details of the vulnerability, in fact that we advise that you don't. What else you choose to say is entirely up to you, and ought to be guided by a desire to protect your users. For example, some developers choose to give additional instructions for users who are unable to update, for how to patch the issue themselves.

Some developers worry that making a security release announcement may harm them commercially. There is no evidence that this will happen, in fact if you take your users' security seriously then in the long run it will earn you respect.