The WordPress security provider Wordfence claims to engage in responsible disclosure of vulnerabilities:

Wordfence has been performing successful vulnerability research and responsible disclosure for over a decade.

They claim doing otherwise is irresponsible:

Not using responsible disclosure is seen as irresponsible behavior in the information security community, and can quickly end what might have been a promising career in cybersecurity.

And that responsible disclosure is the “backbone of safe and effective cybersecurity research”:

Responsible disclosure is the backbone of safe and effective cybersecurity research.

Oftentimes journalist repeat their claims that they are doing responsible disclosure, without doing any due diligence on the claim.

The reality is that they don’t actually engage in responsible disclosure and are selling information that permits exploiting undisclosed, unfixed vulnerabilities to anyone, including hackers, willing to pay them $99 a year.

Disclosure Process

Here is how they explain the first steps listed in their disclosure process:

1. Our Threat Intelligence team verifies the vulnerability and determines severity.
2. Where possible, we develop a firewall rule to protect our customers. This rule is obfuscated to prevent reverse engineering.
3. We notify the vendor, if necessary, and simultaneously release a firewall rule to protect our premium customers via the Threat Defense Feed. Customer sites are updated immediately with the rule and no customer action is required.

By their own admission, they are providing information about vulnerabilities, in the form of firewall rules, to their paying customers before the developers of the software have even had a chance to review the information, much less have had a chance to release a fix.

Also, by their own admission, those firewall rules can be reverse engineered by hackers. They claim to obfuscate those rules to prevent that, but that turns out not to be true.

The Rules are Not Obfuscated

30 days after firewall rules are made available to their paying customers, they are made available to those using their Wordfence Security plugin but not paying for their services. This is a firewall rule that was added to their free data at the end of last month:

if (versionLessThanEqualTo(‘2.3.0’, wordpress.plugins[‘menu-ordering-reservations’]) and match(‘#/wp\-admin/admin\-ajax\.php$#i’, server.script_filename) and match(‘#^(glf_|restaurant_system_customize_button|restaurant_system_insert_dialog)#’, request.body.action, request.queryString.action) and currentUserIsNot(‘administrator’, server.empty)):
block(id=505, category=’auth-bypass’, score=100, description=’Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.0 – Missing Authorization on AJAX Actions’, whitelist=0)

There is no obfuscation done there and a hacker could easily go from that to an exploit. So Wordfence isn’t telling the truth about doing obfuscation.

The other big issue with that if the information there is accurate, then there are vulnerabilities up through version 2.3.0 of the WordPress plugin Restaurant Menu. As of when we were writing this post, that was the version being made available for download from the WordPress Plugin Directory:

The developer submitted a new version attempting to address the vulnerability on October 3, but failed to make it available. It also incompletely addresses the issue. We notified the developer of that, but as of the writing of this post, they hadn’t taken any further action.

Not Responsible Disclosure

So Wordfence has provided hackers willing to pay them $99 the information needed to exploit the vulnerabilities for over a month without a fix available. That isn’t responsible disclosure. It isn’t in any way illegal for them to do that, but it should be a big deal that a security company would lie so blatantly. It also should be a big deal that journalists would be spreading that lie instead of exposing it.