diff --git a/qgis-app/plugins/api.py b/qgis-app/plugins/api.py
index 65e8e63e..a97b4225 100644
--- a/qgis-app/plugins/api.py
+++ b/qgis-app/plugins/api.py
@@ -15,7 +15,8 @@
 from django.utils.translation import gettext_lazy as _
 from plugins.models import *
 from plugins.validator import validator
-from plugins.views import plugin_notify
+from plugins.views import plugin_notify, send_upload_confirmation_email
+from plugins.tasks.run_security_scan import run_security_scan_task
 from rpc4django import rpcmethod
 from taggit.models import Tag
 
@@ -120,7 +121,10 @@ def plugin_upload(package, **kwargs):
                 package.len,
                 "UTF-8",
             ),
-            "approved": request.user.has_perm("plugins.can_approve") or plugin.approved,
+            # Always start unapproved; async security checks will auto-approve
+            # trusted users after validation completes.
+            "approved": False,
+            "validation_status": VALIDATION_STATUS_VALIDATING,
         }
 
         # Optional version metadata
@@ -133,6 +137,12 @@ def plugin_upload(package, **kwargs):
         new_version = PluginVersion(**version_data)
         new_version.clean()
         new_version.save()
+
+        # Send Stage 1 upload confirmation email
+        send_upload_confirmation_email(new_version)
+
+        # Queue async security scan task
+        run_security_scan_task.delay(new_version.pk)
     except IntegrityError as e:
         # Avoids error: current transaction is aborted, commands ignored until
         # end of transaction block
diff --git a/qgis-app/plugins/migrations/0020_pluginversion_validation_status.py b/qgis-app/plugins/migrations/0020_pluginversion_validation_status.py
new file mode 100644
index 00000000..86192b2f
--- /dev/null
+++ b/qgis-app/plugins/migrations/0020_pluginversion_validation_status.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.2.28 on 2026-03-12 02:16
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('plugins', '0019_remove_pluginversion_supports_qt6'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='pluginversion',
+            name='validation_status',
+            field=models.CharField(choices=[('pending', 'Pending'), ('validating', 'Validating'), ('validated', 'Validated'), ('blocked', 'Blocked')], db_index=True, default='pending', help_text="Validation status based on security and quality checks. New uploads start as 'validating' until checks complete. 'blocked' means critical issues were found and the version is not available for approval or download.", max_length=20, verbose_name='Validation status'),
+        ),
+    ]
diff --git a/qgis-app/plugins/migrations/0021_alter_pluginversionsecurityscan_scanned_on.py b/qgis-app/plugins/migrations/0021_alter_pluginversionsecurityscan_scanned_on.py
new file mode 100644
index 00000000..a5fe0e75
--- /dev/null
+++ b/qgis-app/plugins/migrations/0021_alter_pluginversionsecurityscan_scanned_on.py
@@ -0,0 +1,20 @@
+import django.utils.timezone
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("plugins", "0020_pluginversion_validation_status"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="pluginversionsecurityscan",
+            name="scanned_on",
+            field=models.DateTimeField(
+                default=django.utils.timezone.now,
+                verbose_name="Scanned on",
+            ),
+        ),
+    ]
diff --git a/qgis-app/plugins/models.py b/qgis-app/plugins/models.py
index 08c0fe5d..ec011280 100644
--- a/qgis-app/plugins/models.py
+++ b/qgis-app/plugins/models.py
@@ -786,6 +786,19 @@ def get_queryset(self):
         )
 
 
+VALIDATION_STATUS_PENDING = "pending"
+VALIDATION_STATUS_VALIDATING = "validating"
+VALIDATION_STATUS_VALIDATED = "validated"
+VALIDATION_STATUS_BLOCKED = "blocked"
+
+VALIDATION_STATUS_CHOICES = [
+    (VALIDATION_STATUS_PENDING, _("Pending")),
+    (VALIDATION_STATUS_VALIDATING, _("Validating")),
+    (VALIDATION_STATUS_VALIDATED, _("Validated")),
+    (VALIDATION_STATUS_BLOCKED, _("Blocked")),
+]
+
+
 def vjust(str, level=3, delim=".", bitsize=3, fillchar=" ", force_zero=False):
     """
     Normalize a dotted version string.
@@ -934,6 +947,22 @@ class PluginVersion(models.Model):
         null=True,
     )
     is_from_token = models.BooleanField(_("Is uploaded using token"), default=False)
+
+    # Validation status for security and QA checks
+    validation_status = models.CharField(
+        _("Validation status"),
+        max_length=20,
+        choices=VALIDATION_STATUS_CHOICES,
+        default=VALIDATION_STATUS_PENDING,
+        db_index=True,
+        help_text=_(
+            "Validation status based on security and quality checks. "
+            "New uploads start as 'validating' until checks complete. "
+            "'blocked' means critical issues were found and the version "
+            "is not available for approval or download."
+        ),
+    )
+
     # Link to the token if upload is using token
     token = models.ForeignKey(
         PluginOutstandingToken,
@@ -949,6 +978,18 @@ class PluginVersion(models.Model):
     stable_objects = StablePluginVersions()
     experimental_objects = ExperimentalPluginVersions()
 
+    @property
+    def is_available(self):
+        """
+        Returns True if the version is available for download/approval
+        (not blocked by security checks).
+        """
+        return self.validation_status not in [
+            VALIDATION_STATUS_PENDING,
+            VALIDATION_STATUS_VALIDATING,
+            VALIDATION_STATUS_BLOCKED,
+        ]
+
     @property
     def file_name(self):
         return os.path.basename(self.package.file.name)
@@ -1185,7 +1226,7 @@ class PluginVersionSecurityScan(models.Model):
         PluginVersion, on_delete=models.CASCADE, related_name="security_scan"
     )
     scanned_on = models.DateTimeField(
-        _("Scanned on"), auto_now_add=True, editable=False
+        _("Scanned on"), default=timezone.now, editable=False
     )
 
     # Summary statistics
diff --git a/qgis-app/plugins/security_utils.py b/qgis-app/plugins/security_utils.py
index 66502ac3..a52fa9c2 100644
--- a/qgis-app/plugins/security_utils.py
+++ b/qgis-app/plugins/security_utils.py
@@ -21,6 +21,8 @@ def run_security_scan(plugin_version):
         PluginVersionSecurityScan instance or None if scan fails
     """
     try:
+        from django.utils import timezone
+
         # Get the package file path
         package_path = plugin_version.package.path
 
@@ -32,6 +34,7 @@ def run_security_scan(plugin_version):
         security_scan, created = PluginVersionSecurityScan.objects.update_or_create(
             plugin_version=plugin_version,
             defaults={
+                "scanned_on": timezone.now(),
                 "total_checks": report["summary"]["total_checks"],
                 "passed_checks": report["summary"]["passed"],
                 "warning_count": report["summary"]["warnings"],
diff --git a/qgis-app/plugins/tasks/__init__.py b/qgis-app/plugins/tasks/__init__.py
index a3a8ec25..0d4a48d0 100644
--- a/qgis-app/plugins/tasks/__init__.py
+++ b/qgis-app/plugins/tasks/__init__.py
@@ -1,4 +1,5 @@
-from plugins.tasks.generate_plugins_xml import *  # noqa
-from plugins.tasks.update_qgis_versions import *  # noqa
-from plugins.tasks.rebuild_search_index import *  # noqa
-from plugins.tasks.get_sustaining_members import *  # noqa
+from plugins.tasks.generate_plugins_xml import generate_plugins_xml
+from plugins.tasks.update_qgis_versions import update_qgis_versions
+from plugins.tasks.rebuild_search_index import rebuild_search_index
+from plugins.tasks.get_sustaining_members import get_sustaining_members
+from plugins.tasks.run_security_scan import run_security_scan_task
diff --git a/qgis-app/plugins/tasks/run_security_scan.py b/qgis-app/plugins/tasks/run_security_scan.py
new file mode 100644
index 00000000..00206594
--- /dev/null
+++ b/qgis-app/plugins/tasks/run_security_scan.py
@@ -0,0 +1,277 @@
+"""
+Asynchronous Celery task for running security and QA checks on plugin versions.
+
+This task is queued immediately after a plugin is uploaded and processes all
+security checks (Bandit, Secrets Detection, Code Quality, File Permissions,
+Suspicious Files) in the background.
+
+Upload flow:
+1. Plugin uploaded → validation_status='validating', approved=False
+2. This task is queued
+3. All checks run asynchronously
+4. Results stored, validation_status updated:
+   - 'validated': no critical issues → available for approval/auto-approval
+   - 'blocked': critical issues found → unavailable until re-upload
+5. Email sent to maintainer(s) with results
+"""
+
+from django.conf import settings
+from django.contrib.auth.models import User
+from django.core.mail import send_mail
+from django.contrib.sites.models import Site
+from django.utils.translation import gettext_lazy as _
+
+from celery import shared_task
+from celery.utils.log import get_task_logger
+
+from plugins.models import (
+    VALIDATION_STATUS_BLOCKED,
+    VALIDATION_STATUS_VALIDATED,
+    PluginVersion,
+)
+from plugins.security_utils import run_security_scan
+
+
+logger = get_task_logger(__name__)
+
+
+@shared_task(bind=True, max_retries=3, default_retry_delay=60)
+def run_security_scan_task(self, plugin_version_pk, is_manual=False):
+    """
+    Run security scan on a plugin version asynchronously.
+
+    Args:
+        plugin_version_pk: Primary key of the PluginVersion to scan
+        is_manual: If True, this is a manual re-scan on an existing version.
+                   Manual scans are informational only and do not change
+                   the plugin's approval or validation status.
+    """
+    try:
+        plugin_version = PluginVersion.objects.select_related(
+            "plugin", "created_by"
+        ).get(pk=plugin_version_pk)
+    except PluginVersion.DoesNotExist:
+        logger.error(f"PluginVersion {plugin_version_pk} not found, aborting scan")
+        return
+
+    plugin = plugin_version.plugin
+    logger.info(
+        f"Starting security scan for {plugin.package_name} v{plugin_version.version} "
+        f"(manual={is_manual})"
+    )
+
+    # Run the security scan (synchronous scan running in the worker)
+    security_scan = run_security_scan(plugin_version)
+
+    if security_scan is None:
+        # Scan failed to run — treat as validated to avoid blocking on tool errors
+        logger.warning(
+            f"Security scan failed for {plugin.package_name} v{plugin_version.version}, "
+            "treating as validated"
+        )
+        if not is_manual:
+            plugin_version.validation_status = VALIDATION_STATUS_VALIDATED
+            _auto_approve_if_trusted(plugin_version)
+            plugin_version.save()
+            _send_validation_results_email(plugin_version, security_scan=None)
+            if not plugin_version.approved:
+                _notify_staff_for_review(plugin_version)
+        return
+
+    # Determine blocking status: Bandit and Secrets Detection are blocking
+    has_critical_issues = security_scan.critical_count > 0
+
+    if is_manual:
+        # Manual scans are informational only — never change status or approval
+        logger.info(
+            f"Manual scan complete for {plugin.package_name} v{plugin_version.version}: "
+            f"critical={security_scan.critical_count}"
+        )
+        return
+
+    if has_critical_issues:
+        plugin_version.validation_status = VALIDATION_STATUS_BLOCKED
+        logger.warning(
+            f"Plugin {plugin.package_name} v{plugin_version.version} BLOCKED: "
+            f"{security_scan.critical_count} critical issue(s) found"
+        )
+    else:
+        plugin_version.validation_status = VALIDATION_STATUS_VALIDATED
+        _auto_approve_if_trusted(plugin_version)
+        logger.info(
+            f"Plugin {plugin.package_name} v{plugin_version.version} validated successfully"
+        )
+
+    plugin_version.save()
+
+    # Send validation results email to maintainer(s)
+    _send_validation_results_email(plugin_version, security_scan)
+
+    # Notify staff approvers when a non-trusted plugin is ready for review
+    if (
+        plugin_version.validation_status == VALIDATION_STATUS_VALIDATED
+        and not plugin_version.approved
+    ):
+        _notify_staff_for_review(plugin_version)
+
+
+def _auto_approve_if_trusted(plugin_version):
+    """
+    Auto-approve the version if the uploader is trusted or the plugin
+    already has at least one approved version.
+    """
+    created_by = plugin_version.created_by
+    plugin = plugin_version.plugin
+
+    if created_by and (
+        created_by.has_perm("plugins.can_approve") or plugin.approved
+    ):
+        plugin_version.approved = True
+        logger.info(
+            f"Auto-approving {plugin.package_name} v{plugin_version.version} "
+            f"(trusted={created_by.has_perm('plugins.can_approve')}, "
+            f"plugin_approved={plugin.approved})"
+        )
+
+
+def _send_validation_results_email(plugin_version, security_scan):
+    """
+    Send Stage 2 email: validation results to the plugin maintainer(s).
+    """
+    if getattr(settings, "DEBUG", False):
+        logger.debug("Validation results email not sent (DEBUG=True)")
+        return
+
+    plugin = plugin_version.plugin
+    recipients = [u.email for u in plugin.editors if u.email]
+    if not recipients:
+        logger.warning(
+            f"No recipients found for validation results email for {plugin.package_name}"
+        )
+        return
+
+    domain = Site.objects.get_current().domain
+    mail_from = settings.DEFAULT_FROM_EMAIL
+    version_url = f"https://{domain}{plugin_version.get_absolute_url()}"
+    security_url = f"{version_url}#security-tab"
+    docs_url = f"https://{domain}/docs/security-scanning"
+
+    if security_scan is None:
+        subject = f"Plugin Validation Results: {plugin.name} v{plugin_version.version}"
+        message = f"""Plugin validation for {plugin.name} v{plugin_version.version} completed.
+
+The security scan could not be completed due to a tool error, but your plugin has been made available for approval.
+
+Plugin details: {version_url}
+"""
+    elif plugin_version.validation_status == "validated":
+        auto_approved = plugin_version.approved
+        subject = f"Plugin Validation Results: {plugin.name} v{plugin_version.version} - All Checks Passed"
+        if auto_approved:
+            status_msg = "Your plugin has been automatically approved and is now available for download."
+        else:
+            status_msg = "Your plugin is ready for review by an approver."
+        message = f"""Good news! All security and quality checks passed for your plugin.
+
+Plugin: {plugin.name}
+Version: {plugin_version.version}
+Status: {status_msg}
+
+Summary:
+  - Checks passed: {security_scan.passed_checks} / {security_scan.total_checks}
+  - Files scanned: {security_scan.files_scanned}
+
+View detailed results: {security_url}
+"""
+    else:
+        # blocked
+        subject = f"Plugin Validation Results: {plugin.name} v{plugin_version.version} - Critical Issues Found"
+        critical_details = _build_critical_issues_text(security_scan)
+        message = f"""Critical security issues were found in your plugin and it has been BLOCKED.
+
+Plugin: {plugin.name}
+Version: {plugin_version.version}
+Status: BLOCKED - Not available for approval or download until issues are resolved
+
+Critical issues found:
+{critical_details}
+To resolve this:
+1. Fix the critical issues listed above
+2. Upload a new version of your plugin
+3. The new version will be automatically re-scanned
+
+View detailed scan results: {security_url}
+Security best practices: {docs_url}
+"""
+
+    try:
+        send_mail(subject, message, mail_from, recipients)
+        logger.info(
+            f"Validation results email sent for {plugin.package_name} v{plugin_version.version} "
+            f"to {recipients}"
+        )
+    except Exception as e:
+        logger.error(f"Failed to send validation results email: {e}")
+
+
+def _build_critical_issues_text(security_scan):
+    """Build a text summary of critical issues from the scan report."""
+    lines = []
+    for check in security_scan.scan_report.get("checks", []):
+        if not check.get("passed") and check.get("severity") == "critical":
+            lines.append(f"\n[{check['name']}] - {check['issues_found']} issue(s)")
+            for detail in check.get("details", [])[:5]:
+                file_info = detail.get("file", "N/A")
+                line_info = detail.get("line", "")
+                msg = detail.get("message", "")
+                if line_info:
+                    lines.append(f"  - {file_info}:{line_info}: {msg}")
+                else:
+                    lines.append(f"  - {file_info}: {msg}")
+    return "\n".join(lines) if lines else "No details available."
+
+
+def _notify_staff_for_review(plugin_version):
+    """
+    Notify staff approvers that a plugin is ready for review
+    (equivalent to version_notify but triggered from the task).
+    """
+    if getattr(settings, "DEBUG", False):
+        return
+
+    plugin = plugin_version.plugin
+    domain = Site.objects.get_current().domain
+    mail_from = settings.DEFAULT_FROM_EMAIL
+
+    notification_group = getattr(
+        settings, "NOTIFICATION_RECIPIENTS_GROUP_NAME", "Plugin Notification Recipients"
+    )
+
+    recipients = [
+        u.email
+        for u in User.objects.filter(
+            groups__name=notification_group,
+            is_staff=True,
+            email__isnull=False,
+        ).exclude(email="")
+    ]
+
+    if not recipients:
+        logger.warning(
+            f"No staff recipients for review notification of {plugin.package_name}"
+        )
+        return
+
+    try:
+        send_mail(
+            f"A new plugin version is ready for review: {plugin.name} v{plugin_version.version}",
+            f"""Plugin {plugin.name} version {plugin_version.version} has passed all security checks and is ready for approval.
+
+Uploaded by: {plugin_version.created_by}
+Link: http://{domain}{plugin_version.get_absolute_url()}
+""",
+            mail_from,
+            recipients
+        )
+    except Exception as e:
+        logger.error(f"Failed to send staff review notification: {e}")
diff --git a/qgis-app/plugins/templates/plugins/plugin_detail.html b/qgis-app/plugins/templates/plugins/plugin_detail.html
index 3dd8feb4..ea3fcf9a 100644
--- a/qgis-app/plugins/templates/plugins/plugin_detail.html
+++ b/qgis-app/plugins/templates/plugins/plugin_detail.html
@@ -581,9 +581,13 @@ <h2>
                                         {% if not user.is_anonymous %}
                                         <td class="has-text-centered">
                                             {% if version.approved %}
-                                                <i class="fas fa-check-circle has-text-success"></i>
+                                                <i class="fas fa-check-circle has-text-success" title="{% trans 'Approved' %}"></i>
+                                            {% elif version.validation_status == 'validating' %}
+                                                <i class="fas fa-spinner fa-spin has-text-info" title="{% trans 'Validating security checks...' %}"></i>
+                                            {% elif version.validation_status == 'blocked' %}
+                                                <i class="fas fa-ban has-text-danger" title="{% trans 'Blocked: critical security issues found' %}"></i>
                                             {% else %}
-                                                <i class="fas fa-times-circle has-text-danger"></i>
+                                                <i class="fas fa-times-circle has-text-danger" title="{% trans 'Not approved' %}"></i>
                                             {% endif %}
                                         </td>
                                         {% endif %}
@@ -609,6 +613,16 @@ <h2>
                                         <td class="has-text-centered" style="min-width: 200px;">
                                             {% if user.is_staff or user in version.plugin.approvers %}
                                                 {% if not version.approved %}
+                                                {% if not version.is_available %}
+                                                    <button class="button is-warning is-small is-outlined" disabled
+                                                            title="{% if version.validation_status == 'blocked' %}{% trans 'Blocked: critical security issues' %}{% else %}{% trans 'Validating...' %}{% endif %}">
+                                                        {% if version.validation_status == 'blocked' %}
+                                                        <i class="fas fa-ban"></i>
+                                                        {% else %}
+                                                        <i class="fas fa-spinner fa-spin"></i>
+                                                        {% endif %}
+                                                    </button>
+                                                {% else %}
                                                     <form id="approve-version-{{ version.pk }}" method="post" action="{% url 'version_approve' object.package_name version.version %}" style="display:inline;">
                                                         {% csrf_token %}
                                                         <button class="button is-success is-small is-outlined"
@@ -618,6 +632,7 @@ <h2>
                                                             <i class="fas fa-thumbs-up"></i>
                                                         </button>
                                                     </form>
+                                                {% endif %}
                                                 {% else %}
                                                     <form id="unapprove-version-{{ version.pk }}" method="post" action="{% url 'version_unapprove' object.package_name version.version %}" style="display:inline;">
                                                         {% csrf_token %}
diff --git a/qgis-app/plugins/templates/plugins/version_detail.html b/qgis-app/plugins/templates/plugins/version_detail.html
index 94a5b479..8bf27003 100644
--- a/qgis-app/plugins/templates/plugins/version_detail.html
+++ b/qgis-app/plugins/templates/plugins/version_detail.html
@@ -52,12 +52,47 @@
     <div class="is-flex is-justify-content-space-between">
         <h2 class="title is-4">{% trans "Version" %}: {{ version }}</h2>
         <div>
+            {% if not version.approved and version.validation_status == 'validating' %}
+            <button class="button" disabled title="{% trans "Plugin is being validated - download unavailable" %}">
+                <span class="icon"><i class="fas fa-spinner fa-spin"></i></span>
+                <span>{% trans "Validating..." %}</span>
+            </button>
+            {% elif not version.approved and version.validation_status == 'blocked' %}
+            <button class="button is-danger" disabled title="{% trans "Plugin is blocked due to critical security issues" %}">
+                <span class="icon"><i class="fas fa-ban"></i></span>
+                <span>{% trans "Blocked" %}</span>
+            </button>
+            {% else %}
             <a href="{% url "version_download" version.plugin.package_name version.version %}" class="button">
                 <span class="icon"><i class="fas fa-download"></i></span>
                 <span>{% trans "Download" %}</span>
             </a>
+            {% endif %}
         </div>
     </div>
+
+    {% if not version.approved and version.validation_status == 'validating' %}
+    <div class="notification is-info is-light">
+        <p><strong><span class="icon"><i class="fas fa-spinner fa-spin"></i></span> {% trans "Validation in progress" %}</strong></p>
+        <p>{% trans "Security and quality checks are running asynchronously. This plugin version is not yet available for approval or download. You will receive an email with the results shortly." %}</p>
+        <p><a href="{% url 'docs_security_scanning' %}">{% trans "Learn more about security scanning" %}</a></p>
+    </div>
+    {% elif not version.approved and version.validation_status == 'blocked' %}
+    <div class="notification is-danger is-light">
+        <p><strong><span class="icon"><i class="fas fa-ban"></i></span> {% trans "Plugin Blocked" %}</strong></p>
+        <p>{% trans "This plugin version has been blocked because critical security issues were found during validation. It is not available for approval or download until the issues are resolved." %}</p>
+        {% if user.is_staff or user in version.plugin.editors %}
+        <p>{% trans "To resolve this:" %}</p>
+        <ol>
+            <li>{% trans "Fix the critical issues listed in the Security Scan tab below" %}</li>
+            <li>{% trans "Upload a new version of your plugin" %}</li>
+            <li>{% trans "The new version will be automatically re-scanned" %}</li>
+        </ol>
+        <p><a href="{% url 'docs_security_scanning' %}">{% trans "Learn more about fixing security issues" %}</a></p>
+        {% endif %}
+    </div>
+    {% endif %}
+
     {% if not version.created_by.is_active and not version.is_from_token %}
     <div class="notification is-danger is-light">
         {% trans "The plugin author has been blocked." %}
@@ -70,7 +105,11 @@ <h2 class="title is-4">{% trans "Version" %}: {{ version }}</h2>
             {% if user.is_staff or user in version.plugin.editors %}
             <li data-tab="2"><a href="#security-tab">
                 <span>{% trans "Security Scan" %}</span>
-                {% if security_scan %}
+                {% if version.validation_status == 'validating' %}
+                <span class="tag ml-2 is-info">{% trans "Validating" %}</span>
+                {% elif version.validation_status == 'blocked' %}
+                <span class="tag ml-2 is-danger">{% trans "Blocked" %}</span>
+                {% elif security_scan %}
                 <span class="tag ml-2 {{ scan_badge.class }}">
                     {% if security_scan.overall_status == 'passed' %}✓{% elif security_scan.overall_status == 'critical' %}!{% else %}ℹ{% endif %}
                 </span>
@@ -162,7 +201,13 @@ <h2 class="title is-4">{% trans "Version" %}: {{ version }}</h2>
         {% if user.is_staff or user in version.plugin.editors %}
         <div class="tab-pane" id="security-tab">
 
-            {% if security_scan %}
+            {% if version.validation_status == 'validating' %}
+            <div class="notification is-info is-light">
+                <p><strong><span class="icon"><i class="fas fa-spinner fa-spin"></i></span> {% trans "Security validation in progress" %}</strong></p>
+                <p>{% trans "Security and quality checks are currently running. This tab will show the results once complete. Refresh the page in a few moments." %}</p>
+            </div>
+
+            {% elif security_scan %}
 
                 <!-- Important Notes -->
                 <div class="container rich">
@@ -170,9 +215,13 @@ <h2 class="title is-4">{% trans "Version" %}: {{ version }}</h2>
                         <h3>{% trans "Important Information" %}</h3>
                         <p>
                             <ul>
-                                <li>{% trans "These security checks are informational and do not block plugin upload." %}</li>
+                                {% if version.validation_status == 'blocked' %}
+                                <li class="has-text-danger has-text-weight-bold">{% trans "This plugin version is BLOCKED due to critical security issues and is not available for approval or download." %}</li>
+                                {% else %}
                                 <li>{% trans "Warnings and issues should be reviewed and addressed when possible to ensure plugin security and quality." %}</li>
-                                <li>{% trans "Critical issues may indicate security vulnerabilities that should be fixed immediately." %}</li>
+                                {% endif %}
+                                <li>{% trans "Critical issues (Bandit Security Analysis, Secrets Detection) block the plugin until resolved." %}</li>
+                                <li>{% trans "Non-critical issues (warnings, info) are informational." %}</li>
                                 <li>{% trans "False positives may occur - review results in context of your plugin's functionality." %}</li>
                                 <li>
                                     <a href="{% url 'docs_security_scanning' %}" target="_blank" class="has-text-weight-semibold">
@@ -357,9 +406,37 @@ <h5 class="title is-6 mb-3">{% trans "Detailed Check Results" %}</h5>
                         <span class="icon"><i class="fas fa-exclamation-triangle"></i></span>
                         {% trans "No security scan available for this version" %}
                     </p>
-                    <p class="mt-2">{% trans "This version was uploaded before security scanning was implemented, or the scan failed. Please contact an administrator if you'd like to request a scan." %}</p>
+                    <p class="mt-2">{% trans "This version was uploaded before security scanning was implemented, or the scan results are pending. You can trigger a manual scan below." %}</p>
                 </div>
+                <!-- Manual rescan button for existing versions -->
+                <form method="post" action="{% url 'version_rescan' version.plugin.package_name version.version %}">
+                    {% csrf_token %}
+                    <button type="submit" class="button is-info is-outlined mt-3">
+                        <span class="icon"><i class="fas fa-sync-alt"></i></span>
+                        <span>{% trans "Run security scan (informational only)" %}</span>
+                    </button>
+                </form>
+                <p class="is-size-7 has-text-grey mt-2">
+                    {% trans "Manual scans on existing versions are informational only and will not change the plugin's approval status." %}
+                </p>
+            {% endif %}
+
+            {% if security_scan and version.validation_status not in 'validating' %}
+            <!-- Manual rescan button (always available for owners/staff on existing scans) -->
+            <div class="mt-5">
+                <form method="post" action="{% url 'version_rescan' version.plugin.package_name version.version %}">
+                    {% csrf_token %}
+                    <button type="submit" class="button is-light is-small">
+                        <span class="icon"><i class="fas fa-sync-alt"></i></span>
+                        <span>{% trans "Re-run scan (informational)" %}</span>
+                    </button>
+                </form>
+                <p class="is-size-7 has-text-grey mt-1">
+                    {% trans "Re-running a scan on an existing version is informational only and will not change the plugin's status." %}
+                </p>
+            </div>
             {% endif %}
+
         </div>
         {% endif %}
 
@@ -384,10 +461,24 @@ <h4 class="title is-6 mb-2">{% trans "Version management"%}</h4>
             <h4 class="title is-6 mb-2 mt-5">{% trans "Version approval"%}</h4>
             <form class="form-inline" method="post" action="{% url "version_manage" version.plugin.package_name version.version %}">{% csrf_token %}
                 {% if not version.approved %}
+                {% if not version.is_available %}
+                <button class="button is-success is-outlined" disabled title="{% if version.validation_status == 'blocked' %}{% trans 'This version is blocked due to critical security issues and cannot be approved' %}{% else %}{% trans 'Security validation is in progress - please wait before approving' %}{% endif %}">
+                    <span class="icon"><i class="fas fa-check"></i></span>
+                    <span>{% trans "Approve this version" %}</span>
+                </button>
+                <p class="is-size-7 has-text-danger mt-1">
+                    {% if version.validation_status == 'blocked' %}
+                    {% trans "Blocked: critical security issues must be resolved first" %}
+                    {% else %}
+                    {% trans "Validation in progress: approval not available yet" %}
+                    {% endif %}
+                </p>
+                {% else %}
                 <button class="button is-success is-outlined" type="submit" name="version_approve" id="version_approve">
                     <span class="icon"><i class="fas fa-check"></i></span>
                     <span>{% trans "Approve this version" %}</span>
                 </button>
+                {% endif %}
                 {% else %}
                 <button class="button is-warning is-outlined" type="submit" name="version_unapprove" id="version_unapprove">
                     <span class="icon"><i class="fas fa-times"></i></span>
diff --git a/qgis-app/plugins/tests/test_plugin_create_empty.py b/qgis-app/plugins/tests/test_plugin_create_empty.py
index d68606fa..d353894b 100644
--- a/qgis-app/plugins/tests/test_plugin_create_empty.py
+++ b/qgis-app/plugins/tests/test_plugin_create_empty.py
@@ -206,7 +206,7 @@ def test_create_empty_plugin_duplicate_name(self):
     @patch("plugins.views.plugin_notify", new=do_nothing)
     @patch("plugins.tasks.generate_plugins_xml", new=do_nothing)
     @patch("plugins.validator._check_url_link", new=do_nothing)
-    @patch("plugins.security_utils.run_security_scan", new=do_nothing)
+    @patch("plugins.tasks.run_security_scan.run_security_scan_task.delay", new=do_nothing)
     def test_upload_version_after_creating_empty_plugin(self):
         """Test that a version can be uploaded after creating an empty plugin"""
         self.client.login(username="testuser", password="testpassword")
diff --git a/qgis-app/plugins/tests/test_plugin_upload.py b/qgis-app/plugins/tests/test_plugin_upload.py
index 7f744f2f..86f945ae 100644
--- a/qgis-app/plugins/tests/test_plugin_upload.py
+++ b/qgis-app/plugins/tests/test_plugin_upload.py
@@ -34,6 +34,7 @@ def setUp(self):
 
     @patch("plugins.tasks.generate_plugins_xml", new=do_nothing)
     @patch("plugins.validator._check_url_link", new=do_nothing)
+    @patch("plugins.tasks.run_security_scan.run_security_scan_task.delay", new=do_nothing)
     def test_plugin_upload_form(self):
         # Log in the test user
         self.client.login(username='testuser', password='testpassword')
diff --git a/qgis-app/plugins/tests/test_security_scanner.py b/qgis-app/plugins/tests/test_security_scanner.py
index c25c75e6..69c3bede 100644
--- a/qgis-app/plugins/tests/test_security_scanner.py
+++ b/qgis-app/plugins/tests/test_security_scanner.py
@@ -12,7 +12,7 @@
 from django.test import TestCase
 from plugins.models import Plugin, PluginVersion, PluginVersionSecurityScan
 from plugins.security_scanner import PluginSecurityScanner, SecurityCheck
-from plugins.security_utils import get_scan_badge_info, run_security_scan
+from plugins.security_utils import get_scan_badge_info
 
 
 class SecurityScannerTestCase(TestCase):
diff --git a/qgis-app/plugins/tests/test_security_validator.py b/qgis-app/plugins/tests/test_security_validator.py
new file mode 100644
index 00000000..706cb1c7
--- /dev/null
+++ b/qgis-app/plugins/tests/test_security_validator.py
@@ -0,0 +1,649 @@
+"""
+Unit tests for the blocking security validator feature (QEP-408 / Issue #216).
+
+Tests cover:
+ - PluginVersion.validation_status field and is_available property
+ - Async Celery task: run_security_scan_task
+ - Upload flow: validation_status set to validating, task queued
+ - Download blocking for validating/blocked versions
+ - Approval blocking for validating/blocked versions
+ - Manual re-scan view (version_rescan)
+ - Stage 1 (upload confirmation) and Stage 2 (results) email notifications
+"""
+
+import os
+from unittest.mock import MagicMock, patch
+
+from django.contrib.auth.models import Permission, User
+from django.core import mail
+from django.core.files.uploadedfile import SimpleUploadedFile
+from django.test import Client, RequestFactory, TestCase, override_settings
+from django.urls import reverse
+
+from plugins.models import (
+    Plugin,
+    PluginVersion,
+    PluginVersionSecurityScan,
+    VALIDATION_STATUS_BLOCKED,
+    VALIDATION_STATUS_PENDING,
+    VALIDATION_STATUS_VALIDATED,
+    VALIDATION_STATUS_VALIDATING,
+)
+from plugins.tasks.run_security_scan import (
+    _auto_approve_if_trusted,
+    _send_validation_results_email,
+    run_security_scan_task,
+)
+
+TESTFILE_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), "testfiles"))
+
+
+def _make_plugin_version(user, validation_status=VALIDATION_STATUS_PENDING, approved=False):
+    """Create a minimal Plugin + PluginVersion for testing."""
+    plugin = Plugin.objects.create(
+        package_name="test-security-pkg",
+        created_by=user,
+        name="Test Security Plugin",
+    )
+    version = PluginVersion.objects.create(
+        plugin=plugin,
+        version="1.0.0",
+        downloads=0,
+        created_by=user,
+        approved=approved,
+        validation_status=validation_status,
+        package=SimpleUploadedFile("test.zip", b"PK\x05\x06" + b"\x00" * 18),
+        min_qg_version="3.0.0",
+        max_qg_version="3.99.0",
+    )
+    return plugin, version
+
+
+# ---------------------------------------------------------------------------
+# Model / property tests
+# ---------------------------------------------------------------------------
+
+class ValidationStatusPropertyTest(TestCase):
+    """Tests for PluginVersion.is_available and validation_status field."""
+
+    def setUp(self):
+        self.user = User.objects.create_user(
+            username="propuser", password="pass", email="prop@test.com"
+        )
+
+    def test_is_available_pending(self):
+        _, version = _make_plugin_version(self.user, VALIDATION_STATUS_PENDING)
+        self.assertTrue(version.is_available)
+
+    def test_is_available_validating(self):
+        _, version = _make_plugin_version(self.user, VALIDATION_STATUS_VALIDATING)
+        self.assertFalse(version.is_available)
+
+    def test_is_available_validated(self):
+        _, version = _make_plugin_version(self.user, VALIDATION_STATUS_VALIDATED)
+        self.assertTrue(version.is_available)
+
+    def test_is_available_blocked(self):
+        _, version = _make_plugin_version(self.user, VALIDATION_STATUS_BLOCKED)
+        self.assertFalse(version.is_available)
+
+    def test_default_validation_status_is_pending(self):
+        plugin = Plugin.objects.create(
+            package_name="default-status-pkg",
+            created_by=self.user,
+        )
+        version = PluginVersion.objects.create(
+            plugin=plugin,
+            version="0.1.0",
+            downloads=0,
+            created_by=self.user,
+            package=SimpleUploadedFile("t.zip", b"PK\x05\x06" + b"\x00" * 18),
+            min_qg_version="3.0.0",
+            max_qg_version="3.99.0",
+        )
+        self.assertEqual(version.validation_status, VALIDATION_STATUS_PENDING)
+
+
+# ---------------------------------------------------------------------------
+# Async task tests
+# ---------------------------------------------------------------------------
+
+class RunSecurityScanTaskTest(TestCase):
+    """Tests for the run_security_scan_task Celery task."""
+
+    fixtures = ["fixtures/auth.json"]
+
+    def setUp(self):
+        self.user = User.objects.create_user(
+            username="taskuser", password="pass", email="task@test.com"
+        )
+        self.plugin, self.version = _make_plugin_version(
+            self.user, VALIDATION_STATUS_VALIDATING
+        )
+
+    def _make_security_scan(self, critical_count=0, passed_checks=5, total_checks=5):
+        """Create a PluginVersionSecurityScan with the given critical_count."""
+        scan = PluginVersionSecurityScan.objects.create(
+            plugin_version=self.version,
+            scan_report={
+                "checks": [],
+                "summary": {
+                    "total_checks": total_checks,
+                    "passed": passed_checks,
+                    "failed": total_checks - passed_checks,
+                    "critical": critical_count,
+                    "warning": 0,
+                    "info": 0,
+                    "files_scanned": 1,
+                },
+            },
+            critical_count=critical_count,
+            warning_count=0,
+            passed_checks=passed_checks,
+            total_checks=total_checks,
+            files_scanned=1,
+        )
+        return scan
+
+    @override_settings(DEBUG=True)
+    @patch("plugins.tasks.run_security_scan.run_security_scan")
+    def test_task_sets_validated_when_no_critical_issues(self, mock_scan):
+        """Task sets validation_status='validated' when critical_count == 0."""
+        scan = self._make_security_scan(critical_count=0)
+        mock_scan.return_value = scan
+
+        run_security_scan_task(self.version.pk)
+
+        self.version.refresh_from_db()
+        self.assertEqual(self.version.validation_status, VALIDATION_STATUS_VALIDATED)
+
+    @override_settings(DEBUG=True)
+    @patch("plugins.tasks.run_security_scan.run_security_scan")
+    def test_task_sets_blocked_when_critical_issues(self, mock_scan):
+        """Task sets validation_status='blocked' when critical_count > 0."""
+        scan = self._make_security_scan(critical_count=2)
+        mock_scan.return_value = scan
+
+        run_security_scan_task(self.version.pk)
+
+        self.version.refresh_from_db()
+        self.assertEqual(self.version.validation_status, VALIDATION_STATUS_BLOCKED)
+
+    @override_settings(DEBUG=True)
+    @patch("plugins.tasks.run_security_scan.run_security_scan")
+    def test_task_blocked_version_not_approved(self, mock_scan):
+        """Blocked versions must not be auto-approved."""
+        scan = self._make_security_scan(critical_count=1)
+        mock_scan.return_value = scan
+
+        run_security_scan_task(self.version.pk)
+
+        self.version.refresh_from_db()
+        self.assertFalse(self.version.approved)
+
+    @override_settings(DEBUG=True)
+    @patch("plugins.tasks.run_security_scan.run_security_scan")
+    def test_manual_scan_does_not_change_status(self, mock_scan):
+        """Manual re-scans must NOT change validation_status."""
+        self.version.validation_status = VALIDATION_STATUS_VALIDATED
+        self.version.save()
+
+        # Scan reports critical issues, but because is_manual=True status must not change
+        scan = self._make_security_scan(critical_count=3)
+        mock_scan.return_value = scan
+
+        run_security_scan_task(self.version.pk, is_manual=True)
+
+        self.version.refresh_from_db()
+        # Must remain validated, not blocked
+        self.assertEqual(self.version.validation_status, VALIDATION_STATUS_VALIDATED)
+
+    @override_settings(DEBUG=True)
+    @patch("plugins.tasks.run_security_scan.run_security_scan")
+    def test_task_handles_nonexistent_version(self, mock_scan):
+        """Task must not raise when the PluginVersion no longer exists."""
+        # Should complete without error
+        run_security_scan_task(99999)
+        mock_scan.assert_not_called()
+
+    @override_settings(DEBUG=True)
+    @patch("plugins.tasks.run_security_scan.run_security_scan")
+    def test_task_scan_tool_failure_treated_as_validated(self, mock_scan):
+        """When the scan tool fails (returns None), version is still validated."""
+        mock_scan.return_value = None
+
+        run_security_scan_task(self.version.pk)
+
+        self.version.refresh_from_db()
+        self.assertEqual(self.version.validation_status, VALIDATION_STATUS_VALIDATED)
+
+
+# ---------------------------------------------------------------------------
+# Auto-approve helper tests
+# ---------------------------------------------------------------------------
+
+class MaybeAutoApproveTest(TestCase):
+    """Tests for the _auto_approve_if_trusted helper."""
+
+    def setUp(self):
+        self.user = User.objects.create_user(
+            username="approveuser", password="pass", email="approve@test.com"
+        )
+        self.plugin, self.version = _make_plugin_version(self.user)
+
+    def test_auto_approve_for_trusted_user(self):
+        """Users with 'can_approve' permission are auto-approved."""
+        permission = Permission.objects.get(codename="can_approve")
+        self.user.user_permissions.add(permission)
+        # Refresh from DB to pick up new permissions
+        self.user = User.objects.get(pk=self.user.pk)
+        self.version.created_by = self.user
+
+        _auto_approve_if_trusted(self.version)
+
+        self.assertTrue(self.version.approved)
+
+    def test_auto_approve_when_plugin_already_approved(self):
+        """Versions of already-approved plugins are auto-approved."""
+        # Approve the plugin by approving an older version
+        self.plugin.latest_approved_version = self.version
+        old_version = PluginVersion.objects.create(
+            plugin=self.plugin,
+            version="0.9.0",
+            downloads=0,
+            created_by=self.user,
+            approved=True,
+            package=SimpleUploadedFile("t2.zip", b"PK\x05\x06" + b"\x00" * 18),
+            min_qg_version="3.0.0",
+            max_qg_version="3.99.0",
+        )
+        # Plugin.approved returns True when any version is approved
+        self.assertTrue(self.plugin.approved)
+
+        _auto_approve_if_trusted(self.version)
+
+        self.assertTrue(self.version.approved)
+
+    def test_no_auto_approve_for_untrusted_user(self):
+        """Regular users without 'can_approve' are NOT auto-approved."""
+        _auto_approve_if_trusted(self.version)
+        self.assertFalse(self.version.approved)
+
+
+# ---------------------------------------------------------------------------
+# Upload flow tests
+# ---------------------------------------------------------------------------
+
+class PluginUploadValidationFlowTest(TestCase):
+    """Tests that the upload view sets validating status and queues the task."""
+
+    fixtures = ["fixtures/auth.json"]
+
+    def setUp(self):
+        self.client = Client()
+        self.user = User.objects.create_user(
+            username="uploaduser", password="testpass", email="upload@test.com"
+        )
+        self.url = reverse("plugin_upload")
+
+    @override_settings(MEDIA_ROOT="api/tests", DEBUG=True)
+    @patch("plugins.tasks.generate_plugins_xml", new=lambda *a, **kw: None)
+    @patch("plugins.validator._check_url_link", new=lambda *a, **kw: None)
+    @patch("plugins.tasks.run_security_scan.run_security_scan_task.delay")
+    def test_upload_sets_validating_status(self, mock_task):
+        """Freshly uploaded version must have validation_status='validating'."""
+        self.client.login(username="uploaduser", password="testpass")
+        valid_plugin = os.path.join(TESTFILE_DIR, "valid_plugin.zip_")
+        with open(valid_plugin, "rb") as f:
+            uploaded = SimpleUploadedFile("valid_plugin.zip_", f.read(), content_type="application/zip")
+
+        response = self.client.post(self.url, {"package": uploaded})
+
+        self.assertEqual(response.status_code, 302)
+        version = PluginVersion.objects.filter(plugin__name="Test Plugin").first()
+        self.assertIsNotNone(version)
+        self.assertEqual(version.validation_status, VALIDATION_STATUS_VALIDATING)
+
+    @override_settings(MEDIA_ROOT="api/tests", DEBUG=True)
+    @patch("plugins.tasks.generate_plugins_xml", new=lambda *a, **kw: None)
+    @patch("plugins.validator._check_url_link", new=lambda *a, **kw: None)
+    @patch("plugins.tasks.run_security_scan.run_security_scan_task.delay")
+    def test_upload_sets_approved_false(self, mock_task):
+        """Freshly uploaded version must be unapproved regardless of user trust."""
+        self.client.login(username="uploaduser", password="testpass")
+        valid_plugin = os.path.join(TESTFILE_DIR, "valid_plugin.zip_")
+        with open(valid_plugin, "rb") as f:
+            uploaded = SimpleUploadedFile("valid_plugin.zip_", f.read(), content_type="application/zip")
+
+        self.client.post(self.url, {"package": uploaded})
+
+        version = PluginVersion.objects.filter(plugin__name="Test Plugin").first()
+        self.assertIsNotNone(version)
+        self.assertFalse(version.approved)
+
+    @override_settings(MEDIA_ROOT="api/tests", DEBUG=True)
+    @patch("plugins.tasks.generate_plugins_xml", new=lambda *a, **kw: None)
+    @patch("plugins.validator._check_url_link", new=lambda *a, **kw: None)
+    @patch("plugins.tasks.run_security_scan.run_security_scan_task.delay")
+    def test_upload_queues_security_scan_task(self, mock_task):
+        """Security scan task must be queued (delay called) after upload."""
+        self.client.login(username="uploaduser", password="testpass")
+        valid_plugin = os.path.join(TESTFILE_DIR, "valid_plugin.zip_")
+        with open(valid_plugin, "rb") as f:
+            uploaded = SimpleUploadedFile("valid_plugin.zip_", f.read(), content_type="application/zip")
+
+        self.client.post(self.url, {"package": uploaded})
+
+        mock_task.assert_called_once()
+        # First argument must be the pk of the newly created version
+        version = PluginVersion.objects.filter(plugin__name="Test Plugin").first()
+        self.assertEqual(mock_task.call_args[0][0], version.pk)
+
+
+# ---------------------------------------------------------------------------
+# Download blocking tests
+# ---------------------------------------------------------------------------
+
+class VersionDownloadBlockingTest(TestCase):
+    """Tests that download is blocked for validating/blocked versions."""
+
+    def setUp(self):
+        self.factory = RequestFactory()
+        self.user = User.objects.create_user(
+            username="dluser", password="pass", email="dl@test.com"
+        )
+        self.plugin, self.version = _make_plugin_version(self.user)
+
+    def _get_download(self):
+        url = reverse("version_download", args=[self.plugin.package_name, self.version.version])
+        c = Client()
+        return c.get(url)
+
+    def test_download_allowed_for_pending(self):
+        """Pending (legacy) versions are downloadable."""
+        self.version.validation_status = VALIDATION_STATUS_PENDING
+        self.version.save()
+        response = self._get_download()
+        # May be 200 or redirect; must not be 403
+        self.assertNotEqual(response.status_code, 403)
+
+    def test_download_allowed_when_approved(self):
+        """Approved versions are always downloadable, regardless of validation_status."""
+        self.version.approved = True
+        self.version.validation_status = VALIDATION_STATUS_BLOCKED  # hypothetical edge case
+        self.version.save()
+        response = self._get_download()
+        self.assertNotEqual(response.status_code, 403)
+
+    def test_download_blocked_when_validating(self):
+        """Unapproved versions in 'validating' state must return 403."""
+        self.version.approved = False
+        self.version.validation_status = VALIDATION_STATUS_VALIDATING
+        self.version.save()
+        response = self._get_download()
+        self.assertEqual(response.status_code, 403)
+
+    def test_download_blocked_when_blocked(self):
+        """Unapproved versions in 'blocked' state must return 403."""
+        self.version.approved = False
+        self.version.validation_status = VALIDATION_STATUS_BLOCKED
+        self.version.save()
+        response = self._get_download()
+        self.assertEqual(response.status_code, 403)
+
+    def test_download_allowed_when_validated(self):
+        """Unapproved but validated versions can be downloaded."""
+        self.version.approved = False
+        self.version.validation_status = VALIDATION_STATUS_VALIDATED
+        self.version.save()
+        response = self._get_download()
+        self.assertNotEqual(response.status_code, 403)
+
+
+# ---------------------------------------------------------------------------
+# Approval blocking tests
+# ---------------------------------------------------------------------------
+
+class VersionApproveBlockingTest(TestCase):
+    """Tests that approval is blocked for validating/blocked versions."""
+
+    fixtures = ["fixtures/auth.json"]
+
+    def setUp(self):
+        self.client = Client()
+        self.staff_user = User.objects.create_user(
+            username="staffapprover", password="pass", email="staff@test.com",
+            is_staff=True,
+        )
+        self.staff_user.user_permissions.add(
+            Permission.objects.get(codename="can_approve")
+        )
+        self.plugin_owner = User.objects.create_user(
+            username="plgowner2", password="pass", email="owner2@test.com"
+        )
+        self.plugin, self.version = _make_plugin_version(
+            self.plugin_owner, VALIDATION_STATUS_VALIDATED
+        )
+        # staff_user.is_staff=True is sufficient for check_plugin_version_approval_rights
+
+    def _post_approve(self):
+        self.client.login(username="staffapprover", password="pass")
+        url = reverse("version_approve", args=[self.plugin.package_name, self.version.version])
+        return self.client.post(url)
+
+    def test_approve_allowed_when_validated(self):
+        """Staff can approve a validated version."""
+        self.version.validation_status = VALIDATION_STATUS_VALIDATED
+        self.version.save()
+        response = self._post_approve()
+        # Should redirect (302) after success
+        self.assertEqual(response.status_code, 302)
+        self.version.refresh_from_db()
+        self.assertTrue(self.version.approved)
+
+    def test_approve_blocked_when_validating(self):
+        """Staff cannot approve a version still being validated."""
+        self.version.validation_status = VALIDATION_STATUS_VALIDATING
+        self.version.save()
+        response = self._post_approve()
+        # Should redirect back with an error message
+        self.assertEqual(response.status_code, 302)
+        self.version.refresh_from_db()
+        self.assertFalse(self.version.approved)
+
+    def test_approve_blocked_when_blocked_status(self):
+        """Staff cannot approve a version blocked by security checks."""
+        self.version.validation_status = VALIDATION_STATUS_BLOCKED
+        self.version.save()
+        response = self._post_approve()
+        self.assertEqual(response.status_code, 302)
+        self.version.refresh_from_db()
+        self.assertFalse(self.version.approved)
+
+
+# ---------------------------------------------------------------------------
+# Manual re-scan view tests
+# ---------------------------------------------------------------------------
+
+class VersionRescanViewTest(TestCase):
+    """Tests for the version_rescan view."""
+
+    def setUp(self):
+        self.client = Client()
+        self.user = User.objects.create_user(
+            username="rescanuser", password="pass", email="rescan@test.com"
+        )
+        self.plugin, self.version = _make_plugin_version(
+            self.user, VALIDATION_STATUS_VALIDATED
+        )
+
+    @patch("plugins.views.run_security_scan_task")
+    def test_rescan_requires_login(self, mock_task):
+        """Anonymous users must be redirected to the login page."""
+        url = reverse("version_rescan", args=[self.plugin.package_name, self.version.version])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 302)
+        self.assertIn("/accounts/login/", response["Location"])
+        mock_task.delay.assert_not_called()
+
+    @patch("plugins.views.run_security_scan_task")
+    def test_rescan_requires_post(self, mock_task):
+        """GET requests to rescan must not trigger the task."""
+        self.client.login(username="rescanuser", password="pass")
+        url = reverse("version_rescan", args=[self.plugin.package_name, self.version.version])
+        response = self.client.get(url)
+        # Should return 405 (method not allowed)
+        self.assertEqual(response.status_code, 405)
+        mock_task.delay.assert_not_called()
+
+    @patch("plugins.views.run_security_scan_task")
+    def test_rescan_owner_can_trigger(self, mock_task):
+        """The plugin owner can trigger a manual re-scan."""
+        self.client.login(username="rescanuser", password="pass")
+        url = reverse("version_rescan", args=[self.plugin.package_name, self.version.version])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 302)
+        mock_task.delay.assert_called_once_with(self.version.pk, is_manual=True)
+
+    @patch("plugins.views.run_security_scan_task")
+    def test_rescan_non_owner_denied(self, mock_task):
+        """A user that doesn't own the plugin cannot trigger a re-scan."""
+        other_user = User.objects.create_user(
+            username="otheruser2", password="pass", email="other2@test.com"
+        )
+        self.client.login(username="otheruser2", password="pass")
+        url = reverse("version_rescan", args=[self.plugin.package_name, self.version.version])
+        response = self.client.post(url)
+        # Should redirect with an error, not call task
+        self.assertEqual(response.status_code, 302)
+        mock_task.delay.assert_not_called()
+
+
+# ---------------------------------------------------------------------------
+# Email notification tests
+# ---------------------------------------------------------------------------
+
+class UploadConfirmationEmailTest(TestCase):
+    """Tests for Stage 1 upload confirmation email."""
+
+    def setUp(self):
+        self.user = User.objects.create_user(
+            username="emailuser", password="pass", email="emailuser@test.com"
+        )
+        self.plugin, self.version = _make_plugin_version(self.user, VALIDATION_STATUS_VALIDATING)
+
+    @override_settings(DEBUG=False)
+    def test_upload_confirmation_email_sent(self):
+        """Stage 1 email is sent to plugin editors on upload."""
+        from plugins.views import send_upload_confirmation_email
+
+        mail.outbox = []
+        send_upload_confirmation_email(self.version)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn("emailuser@test.com", mail.outbox[0].to)
+        self.assertIn(self.plugin.name, mail.outbox[0].subject)
+        self.assertIn(self.version.version, mail.outbox[0].subject)
+
+    @override_settings(DEBUG=True)
+    def test_upload_confirmation_email_not_sent_in_debug(self):
+        """Stage 1 email must NOT be sent when DEBUG=True."""
+        from plugins.views import send_upload_confirmation_email
+
+        mail.outbox = []
+        send_upload_confirmation_email(self.version)
+        self.assertEqual(len(mail.outbox), 0)
+
+    @override_settings(DEBUG=False)
+    def test_upload_confirmation_email_body_contains_validating_status(self):
+        """Stage 1 email body must mention that validation is in progress."""
+        from plugins.views import send_upload_confirmation_email
+
+        mail.outbox = []
+        send_upload_confirmation_email(self.version)
+        body = mail.outbox[0].body.lower()
+        # Should mention validation / security check
+        self.assertTrue(
+            "validat" in body or "security" in body,
+            "Email body should mention validation or security checks",
+        )
+
+
+class ValidationResultsEmailTest(TestCase):
+    """Tests for Stage 2 validation results email."""
+
+    def setUp(self):
+        self.user = User.objects.create_user(
+            username="resultsuser", password="pass", email="results@test.com"
+        )
+        self.plugin, self.version = _make_plugin_version(self.user, VALIDATION_STATUS_VALIDATED)
+
+    def _make_scan(self, critical_count=0):
+        return PluginVersionSecurityScan.objects.create(
+            plugin_version=self.version,
+            scan_report={
+                "checks": [],
+                "summary": {
+                    "total_checks": 5,
+                    "passed": 5 - critical_count,
+                    "failed": critical_count,
+                    "critical": critical_count,
+                    "warning": 0,
+                    "info": 0,
+                    "files_scanned": 1,
+                },
+            },
+            critical_count=critical_count,
+            warning_count=0,
+            passed_checks=5 - critical_count,
+            total_checks=5,
+            files_scanned=1,
+        )
+
+    @override_settings(DEBUG=False)
+    def test_validated_results_email_sent(self):
+        """Stage 2 email is sent when plugin is validated (no critical issues)."""
+        scan = self._make_scan(critical_count=0)
+        self.version.validation_status = VALIDATION_STATUS_VALIDATED
+
+        mail.outbox = []
+        _send_validation_results_email(self.version, scan)
+
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn("results@test.com", mail.outbox[0].to)
+
+    @override_settings(DEBUG=False)
+    def test_blocked_results_email_sent(self):
+        """Stage 2 email is sent when plugin is blocked (critical issues found)."""
+        scan = self._make_scan(critical_count=2)
+        self.version.validation_status = VALIDATION_STATUS_BLOCKED
+
+        mail.outbox = []
+        _send_validation_results_email(self.version, scan)
+
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn("results@test.com", mail.outbox[0].to)
+
+    @override_settings(DEBUG=False)
+    def test_blocked_email_subject_indicates_failure(self):
+        """Stage 2 email subject must indicate failure for blocked versions."""
+        scan = self._make_scan(critical_count=1)
+        self.version.validation_status = VALIDATION_STATUS_BLOCKED
+
+        mail.outbox = []
+        _send_validation_results_email(self.version, scan)
+
+        subject = mail.outbox[0].subject.lower()
+        self.assertTrue(
+            "block" in subject or "fail" in subject or "critical" in subject or "issue" in subject,
+            f"Unexpected subject for blocked email: {mail.outbox[0].subject}",
+        )
+
+    @override_settings(DEBUG=True)
+    def test_results_email_not_sent_in_debug(self):
+        """Stage 2 email must NOT be sent when DEBUG=True."""
+        scan = self._make_scan(critical_count=0)
+
+        mail.outbox = []
+        _send_validation_results_email(self.version, scan)
+
+        self.assertEqual(len(mail.outbox), 0)
diff --git a/qgis-app/plugins/urls.py b/qgis-app/plugins/urls.py
index a2f26fca..f8985adf 100644
--- a/qgis-app/plugins/urls.py
+++ b/qgis-app/plugins/urls.py
@@ -425,6 +425,12 @@
         {},
         name="version_unapprove",
     ),
+    url(
+        r"^(?P<package_name>[A-Za-z][A-Za-z0-9-_]+)/version/(?P<version>[^\/]+)/rescan/$",
+        version_rescan,
+        {},
+        name="version_rescan",
+    ),
     url(
         r"^(?P<package_name>[A-Za-z][A-Za-z0-9-_]+)/version/(?P<version>[^\/]+)/feedback/$",
         version_feedback,
diff --git a/qgis-app/plugins/views.py b/qgis-app/plugins/views.py
index 4fe01bd5..f58913b4 100644
--- a/qgis-app/plugins/views.py
+++ b/qgis-app/plugins/views.py
@@ -37,6 +37,8 @@
 from plugins.decorators import has_valid_token
 from plugins.forms import *
 from plugins.models import (
+    VALIDATION_STATUS_BLOCKED,
+    VALIDATION_STATUS_VALIDATING,
     Plugin,
     PluginOutstandingToken,
     PluginVersion,
@@ -46,7 +48,7 @@
     PluginVersionSecurityScan,
     vjust,
 )
-from plugins.security_utils import get_scan_badge_info, run_security_scan
+from plugins.security_utils import get_scan_badge_info
 from plugins.utils import parse_remote_addr
 from plugins.validator import PLUGIN_REQUIRED_METADATA
 from rest_framework_simplejwt.exceptions import InvalidToken, TokenError
@@ -63,11 +65,55 @@
 # Decorator
 staff_required = user_passes_test(lambda u: u.is_staff)
 from plugins.tasks.generate_plugins_xml import generate_plugins_xml
+from plugins.tasks.run_security_scan import run_security_scan_task
 
 # Plugin Notification Recipients Group Name
 NOTIFICATION_RECIPIENTS_GROUP_NAME = settings.NOTIFICATION_RECIPIENTS_GROUP_NAME
 
 
+def send_upload_confirmation_email(plugin_version):
+    """
+    Send Stage 1 email: immediate upload confirmation to the plugin maintainer(s).
+
+    Informs the uploader that the plugin has been received and security checks
+    have been queued. The plugin is NOT yet available for approval or download.
+    """
+    plugin = plugin_version.plugin
+    recipients = [u.email for u in plugin.editors if u.email]
+    if not recipients:
+        return
+
+    domain = Site.objects.get_current().domain
+    mail_from = settings.DEFAULT_FROM_EMAIL
+    version_url = f"https://{domain}{plugin_version.get_absolute_url()}"
+    docs_url = f"https://{domain}/docs/security-scanning"
+
+    subject = _("Plugin Upload Confirmation: %(name)s v%(version)s") % {
+        "name": plugin.name,
+        "version": plugin_version.version,
+    }
+    message = _(
+        "Your plugin has been successfully uploaded and security checks have been queued.\n\n"
+        "Plugin: %(name)s\n"
+        "Version: %(version)s\n"
+        "Upload time: %(time)s\n"
+        "Validation status: Validating\n\n"
+        "IMPORTANT: Your plugin is NOT yet available for approval or download.\n"
+        "Security and quality checks are running and will complete shortly.\n"
+        "You will receive another email with the results.\n\n"
+        "Track progress: %(url)s\n"
+        "Security scanning docs: %(docs_url)s\n"
+    ) % {
+        "name": plugin.name,
+        "version": plugin_version.version,
+        "time": plugin_version.created_on,
+        "url": version_url,
+        "docs_url": docs_url,
+    }
+
+    send_mail_wrapper(str(subject), str(message), mail_from, recipients, fail_silently=True)
+
+
 def send_mail_wrapper(subject, message, mail_from, recipients, fail_silently=True):
     if settings.DEBUG:
         logging.debug("Mail not sent (DEBUG=True)")
@@ -557,8 +603,10 @@ def plugin_upload(request):
                     "version": form.cleaned_data.get("version"),
                     "created_by": request.user,
                     "package": form.cleaned_data.get("package"),
-                    "approved": request.user.has_perm("plugins.can_approve")
-                    or plugin.approved,
+                    # Always start unapproved; security checks will auto-approve
+                    # trusted users after validation completes.
+                    "approved": False,
+                    "validation_status": VALIDATION_STATUS_VALIDATING,
                     "experimental": form.cleaned_data.get("experimental", False),
                     "changelog": form.cleaned_data.get("changelog", ""),
                     "external_deps": form.cleaned_data.get("external_deps", ""),
@@ -566,52 +614,29 @@ def plugin_upload(request):
 
                 new_version = PluginVersion(**version_data)
                 new_version.save()
-                msg = _("The Plugin has been successfully created.")
+                msg = _("The Plugin has been successfully uploaded. Security and quality checks are now running asynchronously.")
                 messages.success(request, msg, fail_silently=True)
 
-                # Run security scan on the uploaded package
-                security_scan = run_security_scan(new_version)
-                if security_scan:
-                    # Add security scan results to messages with link to details
-                    scan_url = f"{new_version.get_absolute_url()}#security-tab"
-                    badge_info = get_scan_badge_info(security_scan)
-                    if security_scan.overall_status == "passed":
-                        messages.success(
-                            request,
-                            mark_safe(
-                                _(
-                                    f"✓ Security scan completed: {badge_info['text']}. <a href='{scan_url}'>View detailed report</a>"
-                                )
-                            ),
-                            fail_silently=True,
-                        )
-                    elif security_scan.overall_status == "critical":
-                        warnings.append(
-                            mark_safe(
-                                _(
-                                    f"⚠ Security scan found {security_scan.critical_count} critical issues. <a href='{scan_url}'><strong>View details and address these issues</strong></a>"
-                                )
-                            )
-                        )
-                    elif security_scan.overall_status == "warning":
-                        warnings.append(
-                            mark_safe(
-                                _(
-                                    f"ℹ Security scan found {security_scan.warning_count} warnings. <a href='{scan_url}'>Review details</a>"
-                                )
-                            )
-                        )
+                # Send Stage 1: Upload confirmation email
+                send_upload_confirmation_email(new_version)
+
+                # Queue async security scan task
+                run_security_scan_task.delay(new_version.pk)
 
                 # Update plugins cached xml
                 generate_plugins_xml.delay()
 
-                if not new_version.approved:
-                    msg = _(
-                        "Your plugin is awaiting approval from a staff member and will be approved as soon as possible."
+                # The version is awaiting security validation, no immediate approval
+                scan_url = f"{new_version.get_absolute_url()}#security-tab"
+                warnings.append(
+                    mark_safe(
+                        _(
+                            "Your plugin is being validated. Security and quality checks are "
+                            "running in the background. You will receive an email with the results. "
+                            f"<a href='{scan_url}'>Check validation status</a>"
+                        )
                     )
-                    warnings.append(msg)
-                    if not is_new:
-                        version_notify(new_version)
+                )
                 if not form.cleaned_data.get("metadata_source") == "metadata.txt":
                     msg = _(
                         "Your plugin does not contain a metadata.txt file, metadata have been read from the __init__.py file. This is deprecated and its support will eventually cease."
@@ -1566,71 +1591,45 @@ def _version_create(request, plugin, version):
                     "version_id": new_object.pk,
                 }
 
-                # Run security scan on the uploaded package
-                security_scan = run_security_scan(new_object)
-                if security_scan:
-                    # Add security scan results
-                    scan_url = f"{new_object.get_absolute_url()}#security-tab"
-                    badge_info = get_scan_badge_info(security_scan)
-                    response_data["security_scan"] = {
-                        "status": security_scan.overall_status,
-                        "critical_count": security_scan.critical_count,
-                        "warning_count": security_scan.warning_count,
-                        "info_count": security_scan.info_count,
-                        "scan_url": scan_url,
-                    }
+                # Always start unapproved with validating status;
+                # the async scan task will auto-approve trusted users after
+                # validation completes.
+                new_object.approved = False
+                new_object.validation_status = VALIDATION_STATUS_VALIDATING
+                new_object.save()
 
-                    if not is_api_request:
-                        if security_scan.overall_status == "passed":
-                            messages.success(
-                                request,
-                                mark_safe(
-                                    _(
-                                        f"✓ Security scan completed: {badge_info['text']}. <a href='{scan_url}'>View detailed report</a>"
-                                    )
-                                ),
-                                fail_silently=True,
-                            )
-                        elif security_scan.overall_status == "critical":
-                            messages.warning(
-                                request,
-                                mark_safe(
-                                    _(
-                                        f"⚠ Security scan found {security_scan.critical_count} critical issues. <a href='{scan_url}'><strong>View details and address these issues</strong></a>"
-                                    )
-                                ),
-                                fail_silently=True,
-                            )
-                        elif security_scan.overall_status == "warning":
-                            messages.info(
-                                request,
-                                mark_safe(
-                                    _(
-                                        f"ℹ Security scan found {security_scan.warning_count} warnings. <a href='{scan_url}'>Review details</a>"
-                                    )
-                                ),
-                                fail_silently=True,
-                            )
+                # Send Stage 1: Upload confirmation email
+                send_upload_confirmation_email(new_object)
 
-                # The approved flag is also controlled in the form, but we
-                # are checking it here in any case for additional security
-                if not is_trusted:
-                    new_object.approved = False
-                    new_object.save()
-                    approval_msg = _(
-                        "You do not have approval permissions, plugin version has been set unapproved."
-                    )
-                    response_data["approved"] = False
-                    response_data["approval_message"] = str(approval_msg)
-                    if not is_api_request:
-                        messages.warning(
-                            request,
-                            approval_msg,
-                            fail_silently=True,
+                # Queue async security scan task
+                run_security_scan_task.delay(new_object.pk)
+
+                scan_url = f"{new_object.get_absolute_url()}#security-tab"
+                response_data["validation_status"] = VALIDATION_STATUS_VALIDATING
+                response_data["approved"] = False
+                response_data["scan_url"] = scan_url
+
+                if is_api_request and not is_trusted:
+                    response_data["approval_message"] = str(
+                        _(
+                            "Your plugin version is pending security validation. "
+                            "It will be available for approval once all checks pass. "
+                            "You will receive an email with the results."
                         )
-                    version_notify(new_object)
-                else:
-                    response_data["approved"] = new_object.approved
+                    )
+
+                if not is_api_request:
+                    messages.info(
+                        request,
+                        mark_safe(
+                            _(
+                                "Security and quality checks are running in the background. "
+                                "You will receive an email with the results. "
+                                f"<a href='{scan_url}'>Check validation status</a>"
+                            )
+                        ),
+                        fail_silently=True,
+                    )
 
                 if form.cleaned_data.get("icon_file"):
                     form.cleaned_data["icon"] = form.cleaned_data.get("icon_file")
@@ -1971,6 +1970,21 @@ def version_approve(request, package_name, version):
         msg = _("You do not have approval rights for this plugin.")
         messages.error(request, msg, fail_silently=True)
         return HttpResponseRedirect(version.get_absolute_url())
+    # Block approval for versions that failed or are still undergoing security checks
+    if not version.is_available:
+        if version.validation_status == VALIDATION_STATUS_BLOCKED:
+            msg = _(
+                "This plugin version cannot be approved because it has been blocked "
+                "due to critical security issues. The author must upload a new version "
+                "with the issues resolved."
+            )
+        else:
+            msg = _(
+                "This plugin version cannot be approved yet because security validation "
+                "is still in progress. Please wait for the validation to complete."
+            )
+        messages.error(request, msg, fail_silently=True)
+        return HttpResponseRedirect(version.get_absolute_url())
     version.approved = True
     version.save()
     msg = (
@@ -2235,6 +2249,35 @@ def version_download(request, package_name, version):
     plugin = get_object_or_404(Plugin, package_name=package_name)
     version = get_object_or_404(PluginVersion, plugin=plugin, version=version)
 
+    # Block download if the version is being validated or has been blocked
+    # due to critical security issues. Only applies to unapproved versions —
+    # approved versions are always available.
+    if not version.approved and not version.is_available:
+        if version.validation_status == VALIDATION_STATUS_VALIDATING:
+            return render(
+                request,
+                "plugins/version_permission_deny.html",
+                {
+                    "reason": _(
+                        "This plugin version is currently undergoing security validation. "
+                        "Please wait for the validation to complete."
+                    )
+                },
+                status=403,
+            )
+        elif version.validation_status == VALIDATION_STATUS_BLOCKED:
+            return render(
+                request,
+                "plugins/version_permission_deny.html",
+                {
+                    "reason": _(
+                        "This plugin version has been blocked due to critical security issues. "
+                        "The author must upload a new version with the issues resolved."
+                    )
+                },
+                status=403,
+            )
+
     # Atomic increment using F() expressions - prevents race conditions
     PluginVersion.objects.filter(pk=version.pk).update(downloads=F("downloads") + 1)
 
@@ -2306,6 +2349,46 @@ def version_detail(request, package_name, version):
     )
 
 
+@login_required
+@require_POST
+def version_rescan(request, package_name, version):
+    """
+    Trigger a manual (informational) security re-scan for an existing plugin version.
+
+    This is for previously uploaded versions only. The scan results are
+    informational and do NOT change the plugin's current approval or
+    validation status.
+
+    Requires the user to be the plugin owner/staff.
+    """
+    plugin = get_object_or_404(Plugin, package_name=package_name)
+    version_obj = get_object_or_404(PluginVersion, plugin=plugin, version=version)
+
+    if not check_plugin_access(request.user, plugin):
+        msg = _("You do not have permission to trigger a security scan for this plugin.")
+        messages.error(request, msg, fail_silently=True)
+        return HttpResponseRedirect(version_obj.get_absolute_url())
+
+    # Queue the scan as a manual (informational) scan
+    run_security_scan_task.delay(version_obj.pk, is_manual=True)
+
+    messages.success(
+        request,
+        mark_safe(
+            _(
+                "A security re-scan has been queued for <strong>%(plugin)s v%(version)s</strong>. "
+                "Results are informational only and will not change the plugin's current status. "
+                "Refresh the Security Scan tab in a few minutes to see the results."
+            )
+            % {"plugin": plugin.name, "version": version_obj.version}
+        ),
+        fail_silently=True,
+    )
+    return HttpResponseRedirect(
+        version_obj.get_absolute_url() + "#security-tab"
+    )
+
+
 ###############################################
 
 # Misc functions
diff --git a/qgis-app/templates/flatpages/docs_security_scanning.html b/qgis-app/templates/flatpages/docs_security_scanning.html
index 0db7f3b9..f844ef93 100644
--- a/qgis-app/templates/flatpages/docs_security_scanning.html
+++ b/qgis-app/templates/flatpages/docs_security_scanning.html
@@ -2,144 +2,186 @@
 
 {% block content %}
 <div class="responsive-content">
-  <h4>Security Scanning Feature</h4>
+  <h4>Security Scanning</h4>
 
   <h5>Overview</h5>
   <p>
-    The QGIS Plugins Website includes an automated security, quality, and code analysis system that scans all uploaded plugin packages using <strong>industry-standard professional security tools</strong>. This is a <strong>non-blocking, informational feature</strong> designed to help developers identify potential security issues, code quality problems, and best practice violations.
+    Every plugin version uploaded to the QGIS Plugins Website is automatically scanned using
+    <strong>industry-standard open-source security tools</strong>. Scans run asynchronously in
+    the background immediately after upload. Checks are divided into two tiers:
   </p>
 
-  <p class="alert alert-info">
-    <strong>Important:</strong> These security checks are informational and do not block plugin upload or approval. Results are provided to help you improve your plugin's security and quality.
-  </p>
+  <div class="content">
+    <ul>
+      <li>
+        <strong class="has-text-danger">Blocking (CRITICAL)</strong> — Bandit and Secrets
+        Detection. A plugin version is <strong>blocked</strong> from download and approval until
+        critical findings are resolved by uploading a new, clean version.
+      </li>
+      <li>
+        <strong class="has-text-info">Non-blocking (INFO / WARNING)</strong> — Flake8, file
+        permissions, and suspicious file detection. Results are informational and do not affect
+        availability.
+      </li>
+    </ul>
+  </div>
 
-  <h5>Security Tools Used</h5>
-  <p>The scanner leverages professional open-source security tools:</p>
+  <h5>Validation Statuses</h5>
+
+  <div class="content">
+    <ul>
+      <li>
+        <strong>Validating</strong> — The scan is queued or running. The version is not yet
+        available for download or approval.
+      </li>
+      <li>
+        <strong>Validated</strong> — All checks passed (no critical issues). The version is
+        available for approval; trusted users are approved automatically.
+      </li>
+      <li>
+        <strong class="has-text-danger">Blocked</strong> — One or more critical issues were
+        found. The version cannot be downloaded or approved until a new, fixed version is
+        uploaded.
+      </li>
+    </ul>
+  </div>
+
+  <h5>Upload Flow</h5>
 
   <div class="content">
     <ol>
+      <li>You upload a plugin ZIP file.</li>
       <li>
-        <strong><a href="https://github.com/PyCQA/bandit" target="_blank" rel="noopener">Bandit</a></strong> - Industry-standard security linter for Python code
-        <ul>
-          <li>Detects common security issues</li>
-          <li>Identifies SQL injection vulnerabilities</li>
-          <li>Finds hardcoded passwords and secrets</li>
-          <li>Checks for unsafe function usage</li>
-        </ul>
+        The plugin passes structural validation (metadata, package format, size limits) and is
+        saved to the database with status <em>Validating</em>.
       </li>
       <li>
-        <strong><a href="https://github.com/Yelp/detect-secrets" target="_blank" rel="noopener">detect-secrets</a></strong> - Yelp's secrets detection tool
-        <ul>
-          <li>Finds API keys, tokens, passwords</li>
-          <li>Detects various secret patterns</li>
-          <li>Low false-positive rate</li>
-        </ul>
+        You receive a <strong>confirmation email</strong> acknowledging receipt and noting that
+        checks are running.
       </li>
+      <li>Security and quality checks run asynchronously in the background.</li>
       <li>
-        <strong><a href="https://flake8.pycqa.org/" target="_blank" rel="noopener">Flake8</a></strong> - Python code quality checker
+        You receive a <strong>results email</strong> once checks complete:
         <ul>
-          <li>PEP 8 style guide enforcement</li>
-          <li>Syntax error detection</li>
-          <li>Code complexity analysis</li>
+          <li>
+            <em>All checks passed</em> — your plugin is now available. Trusted users are
+            auto-approved; others await staff approval.
+          </li>
+          <li>
+            <em>Critical issues found</em> — your plugin is blocked. The email lists the
+            specific findings so you can fix them.
+          </li>
         </ul>
       </li>
+      <li>
+        Full scan details are always available on the version detail page under the
+        <strong>Security</strong> tab.
+      </li>
     </ol>
   </div>
 
-  <h5>What Gets Scanned</h5>
+  <h5>Security Tools Used</h5>
 
   <div class="content">
     <ol>
       <li>
-        <strong>Bandit Security Analysis (CRITICAL)</strong>
+        <strong><a href="https://github.com/PyCQA/bandit" target="_blank" rel="noopener">Bandit</a></strong>
+        <span class="tag is-danger is-light ml-2">BLOCKING</span> — Static analysis for Python security issues:
         <ul>
-          <li>Common security vulnerabilities in Python</li>
+          <li>Shell injection (<code>subprocess</code> with <code>shell=True</code>)</li>
+          <li>Use of unsafe built-ins (<code>eval</code>, <code>exec</code>, <code>pickle</code>)</li>
           <li>SQL injection risks</li>
-          <li>Hardcoded passwords and keys</li>
-          <li>Use of unsafe functions (eval, exec, pickle)</li>
-          <li>Shell injection vulnerabilities</li>
-          <li>Weak cryptography usage</li>
-          <li>And 100+ other security checks</li>
+          <li>Hardcoded passwords and weak cryptography</li>
+          <li>100+ additional checks</li>
         </ul>
       </li>
       <li>
-        <strong>Secrets Detection (CRITICAL)</strong>
+        <strong><a href="https://github.com/Yelp/detect-secrets" target="_blank" rel="noopener">detect-secrets</a></strong>
+        <span class="tag is-danger is-light ml-2">BLOCKING</span> — Detects hardcoded secrets:
         <ul>
-          <li>API keys and tokens</li>
-          <li>AWS credentials</li>
+          <li>AWS / cloud provider credentials</li>
+          <li>API keys and OAuth tokens</li>
           <li>Private SSH keys</li>
           <li>Database connection strings</li>
-          <li>OAuth tokens</li>
-          <li>Generic high-entropy strings</li>
+          <li>High-entropy strings that resemble secrets</li>
         </ul>
       </li>
       <li>
-        <strong>Code Quality - Flake8 (INFO)</strong>
+        <strong><a href="https://flake8.pycqa.org/" target="_blank" rel="noopener">Flake8</a></strong>
+        <span class="tag is-info is-light ml-2">INFORMATIONAL</span> — Python code quality:
         <ul>
-          <li>Python syntax errors</li>
           <li>PEP 8 style violations</li>
-          <li>Undefined names</li>
-          <li>Unused imports</li>
-          <li>Code complexity warnings</li>
+          <li>Syntax errors and undefined names</li>
+          <li>Unused imports and variables</li>
         </ul>
       </li>
       <li>
-        <strong>File Analysis (INFO/WARNING)</strong>
+        <strong>File Analysis</strong>
+        <span class="tag is-warning is-light ml-2">INFORMATIONAL</span> — Package structure checks:
         <ul>
-          <li>Executable files detection</li>
-          <li>Hidden files</li>
-          <li>Suspicious file types</li>
+          <li>Executable and hidden files</li>
+          <li>Suspicious file types (e.g. compiled binaries, scripts)</li>
           <li>Unusual file permissions</li>
         </ul>
       </li>
     </ol>
   </div>
 
-  <h5>How It Works</h5>
-
-  <p><strong>Upload Flow:</strong></p>
-  <div class="content">
-    <ol>
-      <li>User uploads a plugin ZIP file</li>
-      <li>Plugin passes blocking validation (metadata, structure, size limits)</li>
-      <li><strong>Security scan runs automatically</strong> during the upload process</li>
-      <li>Plugin is saved to database</li>
-      <li>Results are stored and displayed immediately</li>
-      <li>User sees scan summary in success messages</li>
-      <li>Full details available on version detail page</li>
-    </ol>
-  </div>
-
-  <p class="alert alert-info">
-    <strong>Note:</strong> The security scan runs synchronously during upload, which means the upload process completes once the scan finishes. This typically takes a few seconds for most plugins.
-  </p>
-
   <h5>Understanding Scan Results</h5>
 
-  <p>Each plugin version has a dedicated <strong>Security Scan</strong> tab showing:</p>
+  <p>
+    The <strong>Security</strong> tab on every version detail page shows:
+  </p>
 
   <div class="content">
     <ul>
-      <li><strong>Summary Card:</strong> Overall status, pass rate percentage, scan timestamp</li>
-      <li><strong>Quick Stats Grid:</strong> Total checks, passed checks, warnings, critical issues, files scanned</li>
-      <li><strong>Detailed Check Results:</strong> Expandable cards for each check showing:
+      <li><strong>Summary card</strong> — Overall status, pass rate, and scan timestamp</li>
+      <li><strong>Stats grid</strong> — Total checks, passed checks, warnings, critical issues, files scanned</li>
+      <li>
+        <strong>Per-check details</strong> — Expandable cards for each check showing:
         <ul>
-          <li>Affected file names</li>
-          <li>Line numbers</li>
-          <li>Issue descriptions</li>
-          <li>Code snippets (when applicable)</li>
+          <li>Affected file names and line numbers</li>
+          <li>Issue descriptions and code snippets</li>
         </ul>
       </li>
     </ul>
   </div>
 
+  <h5>Manual Re-scan</h5>
+
+  <p>
+    Plugin editors can trigger a manual re-scan at any time from the <strong>Security</strong>
+    tab. Re-scans are <strong>informational only</strong> — they refresh the displayed results
+    and the scan timestamp but do not change the version's validation status or approval state.
+    To clear a <em>Blocked</em> status, upload a new version with the issues resolved.
+  </p>
+
+  <h5>Trusted Users &amp; Auto-approval</h5>
+
+  <p>
+    Users who have been granted the <em>trusted</em> permission (<code>can_approve</code>) have
+    their plugin versions <strong>automatically approved</strong> once validation passes. Staff
+    approvers are notified by email only after a version reaches <em>Validated</em> status and
+    requires manual approval.
+  </p>
+
   <h5>Severity Levels</h5>
 
   <div class="content">
     <ul>
-      <li><strong class="has-text-danger">CRITICAL:</strong> Security vulnerabilities that should be fixed immediately (e.g., hardcoded credentials, SQL injection risks)</li>
-      <li><strong class="has-text-warning">WARNING:</strong> Issues that could lead to problems (e.g., vulnerable dependencies, weak practices)</li>
-      <li><strong class="has-text-info">INFO:</strong> Informational items and code quality suggestions (e.g., style violations, complexity warnings)</li>
+      <li>
+        <strong class="has-text-danger">CRITICAL</strong> — Blocking. Security vulnerabilities
+        that must be fixed before the plugin can be published (e.g. hardcoded credentials, shell
+        injection).
+      </li>
+      <li>
+        <strong class="has-text-warning">WARNING</strong> — Non-blocking. Issues that could lead
+        to problems and should be addressed (e.g. suspicious files, executable permissions).
+      </li>
+      <li>
+        <strong class="has-text-info">INFO</strong> — Non-blocking. Code quality suggestions
+        (e.g. PEP 8 violations, unused imports).
+      </li>
     </ul>
   </div>
 
@@ -147,54 +189,65 @@ <h5>Important Notes</h5>
 
   <div class="content">
     <ul>
-      <li><strong>✅ Non-Blocking:</strong> Scans never prevent plugin upload or approval</li>
-      <li><strong>⚠️ False Positives:</strong> Some warnings may be false positives. Review results in context of your plugin's functionality. For example, a password manager plugin may legitimately need to handle passwords.</li>
-      <li><strong>🔒 Privacy:</strong> Scans run locally on the server after upload. No external services are used except for Safety database lookups.</li>
-      <li><strong>📊 Transparency:</strong> All scan results are visible to plugin authors and administrators</li>
+      <li>
+        <strong>⚠️ False positives:</strong> Some findings may be false positives. For example,
+        a password-manager plugin may legitimately handle credentials. If you believe a critical
+        finding is incorrect, contact the site administrators.
+      </li>
+      <li>
+        <strong>🔒 Privacy:</strong> All scans run locally on the server. No plugin code is
+        sent to external services.
+      </li>
+      <li>
+        <strong>📊 Transparency:</strong> Full scan results are always visible to plugin authors
+        and administrators on the version detail page.
+      </li>
     </ul>
   </div>
 
-  <h5>Best Practices</h5>
+  <h5>Resolving a Blocked Plugin</h5>
 
   <div class="content">
     <ol>
-      <li><strong>Review critical issues immediately</strong> - These may indicate serious security vulnerabilities</li>
-      <li><strong>Address warnings when possible</strong> - They help improve plugin security and quality</li>
-      <li><strong>Use external configuration</strong> - Don't hardcode secrets, API keys, or credentials in your code</li>
-      <li><strong>Keep dependencies updated</strong> - Regularly check for vulnerable packages</li>
-      <li><strong>Follow PEP 8</strong> - Clean code is easier to audit and maintain</li>
-      <li><strong>Document legitimate use cases</strong> - If a warning is a false positive, consider adding comments explaining why</li>
+      <li>Open the <strong>Security</strong> tab on the blocked version's detail page.</li>
+      <li>Review the critical findings and fix them in your local copy of the plugin.</li>
+      <li>Upload a new version — the new version will be scanned automatically.</li>
+      <li>
+        You cannot unblock an existing version; each new upload starts a fresh scan.
+      </li>
     </ol>
   </div>
 
-  <h5>For Plugin Developers</h5>
+  <h5>Check Your Plugin Locally</h5>
 
-  <p>To check your plugin locally before uploading:</p>
+  <p>Run the same tools locally before uploading to catch issues early:</p>
 
-  <div >
-    <pre><code># Install the security tools
-pip install bandit detect-secrets flake8 flake8-json
+  <pre><code># Install the security tools
+pip install bandit detect-secrets flake8
 
 # Run checks on your plugin directory
 bandit -r your_plugin_directory/
 detect-secrets scan your_plugin_directory/
 flake8 your_plugin_directory/</code></pre>
-  </div>
 
   <h5>Support</h5>
 
-  <p>
-    If you have questions about scan results or need help addressing issues:
-  </p>
   <ul>
-    <li>Review the detailed scan results on your plugin's version detail page</li>
-    <li>Check the linked documentation for each security tool</li>
-    <li>Ask questions on the QGIS Developers mailing list</li>
-    <li>File issues on the <a href="https://github.com/qgis/QGIS-Plugins-Website" target="_blank" rel="noopener">QGIS-Plugins-Website GitHub repository</a></li>
+    <li>Review the detailed scan results on your plugin's version detail page.</li>
+    <li>Check the linked documentation for each security tool.</li>
+    <li>Ask questions on the QGIS Developers mailing list.</li>
+    <li>
+      File issues on the
+      <a href="https://github.com/qgis/QGIS-Plugins-Website" target="_blank" rel="noopener">
+        QGIS-Plugins-Website GitHub repository
+      </a>.
+    </li>
   </ul>
 
   <p class="alert alert-success">
-    <strong>Remember:</strong> The security scanner is here to help you create safer, higher-quality plugins. It's a tool to support you, not a barrier to entry. We encourage iterative improvements based on scan results.
+    <strong>Remember:</strong> The security scanner is here to help you create safer,
+    higher-quality plugins. Critical findings must be resolved, but non-blocking results are
+    purely advisory — use them as a guide for continuous improvement.
   </p>
 </div>
 {% endblock %}