When it comes to handling disclosure of vulnerabilities we think the best approach isn’t either of the extremes, responsible disclosure or full disclosure. You might actually call responsible disclosure, irresponsible disclosure, since it could involve never disclosing a vulnerability if it isn’t fixed, which is a bad idea when it shouldn’t be assumed that others can’t independently find the same vulnerability someone else found and they might be someone that is going to exploit it. Beyond the obvious issues that can come with full disclosure, there are other real world problems that it can cause. Our approach up until now has been what we refer to as reasonable disclosure, which in our case tries to balance the need to notify our customers, who are paying to be notified about vulnerabilities in WordPress plugins, of vulnerabilities in a timely manner as well getting vulnerabilities fixed before disclosure happens as much as possible.
Here is what our policy has been up until now:
We believe in reasonable disclosure, which involves providing developers notification of vulnerabilities we will disclose ahead of the disclosure, but doesn’t involve waiting potentially forever for a developer to fix the vulnerability.
Many of the vulnerabilities we disclose are likely already being exploited, so not disclosing them means that people using the plugin are left completely vulnerable, whereas with disclosure they have a chance to do something. Therefore we will quickly disclose those. For those vulnerabilities we include the data on them in the free data that comes with our service’s companion plugin, so even those not using the service yet can be notified of the issue. Other providers also have the ability to include the vulnerabilities in their data, since we disclose them publicly at the same time.
For some other vulnerabilities we disclose, the vulnerabilities are rather obvious when looking at a report of another vulnerability in a plugin. If we have spotted those you can be sure that others could as well, so keeping quiet about them doesn’t do much to limit the possible of their exploitation and we will usually quickly disclose those.
As the funding for our discovering all of these vulnerabilities comes from our customers paying to be notified of vulnerabilities in the plugin they use, keeping quiet about them for a significant amount of time is also shortchanging our customers.
For vulnerabilities that are not being exploited or are not obvious due to previous vulnerability we will disclose them 30 days after notifying the developer if the developer responds to our notification or 7 days if they don’t respond, or after they have been fixed, whichever comes first. For vulnerabilities where the developer is no longer around (which is fairly often with WordPress plugins), we will disclose them immediately.
We hope to return to that, but we have decided in light on the continued inability of the moderators of the WordPress Support Forum to act appropriately, which is actively getting in the way of improving the security of WordPress plugins, we need to change course until such time as they start acting appropriately. So what we will now do is to do full disclosure of vulnerabilities and the only notice we will provide is to the developers is through the Support Forum. So the moderators will have a choice to make, whether they want to help improve the security of WordPress plugins or to continue to act inappropriately instead.
While that has downsides, the current situation with the moderation of the Support Forum and the other bad behavior by the people running the WordPress Plugin Directory it helps to allow to fester has major downsides of its own that we can’t abide by. Just earlier today we discussed how that causes vulnerabilities to go unfixed. In a previous instance we tried to discuss WordPress continued refusal to properly address unfixed vulnerabilities that are being exploited with a member of the Plugin Directory (they also are in charge of the WordPress moderators and work directly for Matt Mullenweg), but instead of being willing to discuss the issue or accept our attempt to help them, our comment was just deleted. Covering up security issues instead of fixing them, whether intended or not, has been a reoccurring problem with the moderation of the Support Forum and it needs to stop.
If the moderators actually care about security, as they would tell you they do, despite how they actually act, then they would have an interest in cleaning up their act due to this. If not, then it would be an indication that they need to be removed en-mass and replaced with others who can act appropriately.
Were not hopefully that this will be quickly resolved, but we have to do everything we can to stop their bad behavior because we have seen how harmful it is not just when it comes to the security of plugins, but when it comes to people looking for help with security issues on their websites.
What is Appropriate Behavior?
We really shouldn’t even have to explain what appropriate behavior is since it should be so obvious, but here are the main elements we can think of:
- Don’t violate the guidelines of the Support Forum. You would think that this wouldn’t be an issue since they are the ones moderating the thing, but they can’t even handle the basics of that now. For example, one the headlines of those guidelines is “Do Not Advertise or Promote Products” and yet the moderators repeatedly promote a couple of security companies to clean up hacked websites (while at the same time their actions make it harder to fix security issues that could lead to websites being hacked).
- Handle disagreements with users of the Support Forum through professional adult discussions instead of simply deleting things that they disagree with and be able to understand that they in fact can be wrong about things. We, for example, have tried to discuss their violating the guidelines, but they were unable to handle that and instead deleted what we wrote.
- Don’t post on things they don’t understand. This really ties into the last item since you often have moderators providing people incorrect information and then they appear to not be able to handle that someone provides information that disputes that, leading to accurate information being deleted.
- Undelete the things they have inappropriately deleted related to us and stop their general harassment of us on the forum. By inappropriately deleted, we mean things like this comment that someone left thanking us that they deleted (that deletion somehow actually happened). In some cases even over a year after we have written something (for which moderators were part of the thread at the time), a moderator has gone and deleted it, which seems like behavior of someone that has some serious issues.
- Update (9/27/18): Restore our original account on wordpress.org, which they spent time disabling instead of notifying the developer of a plugin with 700,000+ active installations of one of the vulnerabilities we full disclosed (we couldn’t make up how terrible these people are).
- Update (10/2/2018): Restore our plugins, which in the case of the companion plugin for our service, actually helps to protect against the continued bad handling of the security of WordPress plugins by the WordPress team.