One of the shortcomings I see with the Moodle plugins directory is the inability of plugin maintainers to get in touch with their users, other than by posting in a forum or pushing an update. 

I was recently made aware of a security flaw in one of my free plugins. I patched and updated on Moodle.org as quickly as possible. 

Ideally however I would have access to a list of subscribed users to which I could send a direct message (email or message). After all Moodle alerts registered Moodle site admins of security issues in Moodle in advance of any public release of such information, so it seems like plugins should be no different in this respect.

I would like to suggest that each plugin has a checkbox on their entry in the plugins directory that allows the plugin user to register to receive security notifications (or possibly other notifications too).

Alternatively, security related notifications for plugins could simply be sent out to the known users in exactly the same way that Moodle security notifications are sent. This would be easier to implement because there would be no need to collect and store subscription information per plugin from the plugin user. It would just require a process via which the plugin author could communicate with Moodle community administrators