I've a issue with password disclosure when using the M2 Release Plugin and entering the password.
During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not.
As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log:
see also https://groups.google.com/forum/#!topic/jenkinsci-users/uHEszf8DHac (incl. a workaround)