One of the more troubling things going on with our competitors in providing information about vulnerabilities in WordPress plugins is how those security providers are trying to direct vulnerability reports about plugins away from developers to themselves. Among the problems with that, is it can lead to significant delays in developers getting informed of them. Here, for example, was the timeline that Wordfence disclosed for one recent instance of such redirection:

May 26, 2024 – We received the submission for the PHP Object Injection to Remote Code Execution vulnerability in GiveWP via the Wordfence Bug Bounty Program.
June 10, 2024 – We validated the report and confirmed the proof-of-concept exploit.
June 13, 2024 – We sent the full disclosure details to the vendor’s known email address.

So it took 18 days for the information to be attempted to be provided to the developer. (It appears that Wordfence then didn’t try to make contact in the best possible way, either.) And they were willing to admit that. It appears that it can be much longer than that with some of the providers based on some of what we can glean.

Wordfence claims that they do responsible disclosure, but it hardly seems responsible to take 18 days to notify the developer. It definitely isn’t responsible to sell information on vulnerabilities to any hackers willing to pay before notifying the developer, which Wordfence also does.

You would hope that WordPress would step in and say that security providers shouldn’t be trying to get reports directed away from developers, but another provider involved in is this is part of Automattic. That would be the Automattic that WordPress more and more seems to be an arm of. That also be the Automattic is somehow able to get people on the team running the WordPress Plugin Directory without it being disclosed they are joining or on the team.