My company does security research on third party WordPress plugins among many, many other things. We penetrate third party WordPress plugins all the time on our localhost. The programmers sometimes release a patch, other times they never fix the problem. If a patch is released I publish an article telling people to upgrade. Since my company wants to respect WordPress and everyone who uses it's platform, I am unsure if we should publish articles about plugins that developers tell me they have abandoned and others who don't patch security holes. Is there another way to deal with the issue? If my company found security holes in Jetpack or a theme by WordPress then I would contact WordPress security, but I am at a loss with negligent 3rd party developers. Any advice is appreciated.