Search
My Cart

Buyers and vendors

Abuse reports

How to flag a package for moderation, what Packagento does with the report, and what each side sees afterwards.

What this is for

The report flow is the marketplace's moderation channel. Use it when you believe a package on Packagento crosses a line that the vendor is unlikely to fix on their own: shipping malicious code, infringing someone else's rights, or breaching the platform terms. It is not a support channel and not a substitute for talking to the vendor about a regular bug or feature request.

Reports are reviewed by Packagento, not by the vendor. The reviewer decides whether the concern is substantiated and what, if anything, the marketplace should do about it.

How to file a report

Reports start from the package detail page on the marketplace. The right-hand rail has a "Report this package" block; clicking it opens a short form.

The form asks for:

  • Category - pick the closest match from the list (see below). Required.
  • Your email - only asked if you are filing while signed out. We use it to confirm receipt and to email you the outcome. We do not share it with the vendor.
  • Reason - optional free text, up to 4000 characters. A short, specific paragraph helps a lot: which version you looked at, what you saw, why you think it crosses the line.

You do not need to attach files or paste long logs into the form. If we need more from you to decide, we will reply to the email on file.

When to report versus emailing the vendor

Pick the channel that matches the issue:

License violation
The vendor is shipping or selling something in a way the upstream licence does not permit (for example redistributing GPL code under proprietary terms, or reselling a package they do not own). File a report.
Malicious code
The package does something hostile to the buyer: data exfiltration, hidden remote access, unexpected outbound calls, obfuscation that hides its real behaviour. File a report. If you can do so safely, paste a small excerpt in the reason field. For working exploits, prefer our contact form so the details stay off the public report.
IP infringement
The package contains code, branding, or content that belongs to someone else and is being passed off as the vendor's. File a report. If you are the rights holder, say so in the reason field.
Spam / low-effort
The listing is filler: empty module, lifted README, deliberately misleading description, or a placeholder hoping to ride a search term. File a report.
Other
Anything serious that does not fit the categories above. Use the reason field to explain.

For everyday quality issues - a bug, a missing feature, a Magento-version compatibility gap, slow support - email the vendor directly. The contact details are on the package detail page. A report does not get you a refund and does not speed up a fix; for those, see the refund-request and support links at the bottom of this page.

What happens after you submit

  • You see an on-page confirmation that the report was received.
  • You receive a confirmation email at the address on file (your account email if signed in, the email you typed if signed out) with a reference number.
  • Packagento's moderation team is notified and triages the queue, typically within one business day.
  • Your identity is not shared with the vendor. If we contact the vendor as part of the review, we describe the concern without surfacing who reported it.

What outcomes you might see

Every report moves through a short status: open when you submit it, acknowledged once a reviewer has eyes on it, and then one of two terminal outcomes:

Actioned
Packagento took moderation action. Depending on the case, that can mean suspending the vendor, retiring the package, requiring changes before further releases, or removing an affected version. You receive an email letting you know.
Dismissed
After review, Packagento decided no moderation action is warranted. This is not a judgement on you; it usually means the concern was outside the marketplace's remit (a regular bug, a feature gap) or the evidence did not support the category you picked. You receive an email letting you know.

Acknowledged is an internal "we have looked at this" marker; you will not get a separate email when a report moves into that state. You will only hear from us when the report is resolved or when we need more information from you.

Filing a false or harassing report wastes review time and erodes the signal. We take repeat offenders seriously - persistent bad-faith reporting can result in your account being restricted from filing further reports.

See also

  • Source visibility - what you can read and patch in a licensed package, and where to start when you suspect something is wrong with the code.
  • Writing a strong refund request - the right channel when the issue is "this package did not do what I paid for" rather than a moderation concern.

Security issues with working exploits should go through our contact form privately, not through the public report form.