In trying to cover various elements of the current situation with WordPress, we have run in to a pre-existing issue, the lack of almost any official information on the WordPress security team or teams. This is very different than how other similar, but smaller, projects handle things. You can easily find a lot of information for the teams for both Drupal and Joomla, including who is on the teams and their scope. It isn’t even clear how many teams there are for WordPress or if they actually exist as a team.

Recently, Matt Mullenweg cited the “WordPress security team” when announcing the takeover of the plugin Advanced Custom Fields. He linked to the WordPress.org Security page when mentioning that. That page mentions a team labeled as the WordPress Security Team:

The WordPress Security Team works to identify and resolve security issues across the WordPress core software, harden the software against threats such as the OWASP Top Ten, and provide guidance across the ecosystem.

Who is on the team isn’t specified:

In addition to more than 50 trusted experts, including lead developers, security researchers, and key contributors to every component of WordPress, sponsored members of the Security Team dedicate time to identifying and addressing concerns in the software and ecosystem.

Recently the Matt Mullenweg owned WP Tavern referred to someone as the “WordPress Core Security Team Lead” while mention a tweet of theirs. That would appear to be based on them describing themselves that way in their Twitter account’s profile.

So is there a WordPress Security Team and a WordPress Core Security Team, or is that the same team?

Things get odder. WordPress has a page listing the Team Reps for the various WordPress teams. There is no listing for a Security or a Core Security team. It also says that there are not Team Leads other than in the core team (emphasis theirs):

Often, Team Reps are the people who would be labeled Leads if we had that designation, but please avoid calling people Team Lead rather than Team Rep. There are many cases where the team reps will not be the same people that are considered “Leads” (a title we only have on core team right now, but could discuss for others if people think it’s useful), so being careful with language now will prevent confusion later.

Team Rep is a leadership role that is mostly administrative in nature; it is not a Lead role. Letting go of the Team Rep title is not a loss of status, just a handing off of responsibilities. Someone who is a leader in a team can lead whether they are doing the team rep job or not.

That would suggest there isn’t really a separate security team at all, but something that exists in the Core Team. Yet, the Project Organization page of the Core Team doesn’t make any mention of a security at all.

There is a section of make.wordpress.org that would appear to be for the Security team. The only information posted on that in over two years has been mentions of bug bounties. The person that has posted all the entries on that in the last two years, has badges for being in the Security Team and being a Security Contributor:

Confusingly, someone that claims they are a member of the WordPress Security Team doesn’t have either of those badges:

The basic lack of information as to what is going on here is strange. It wouldn’t be a big deal if the handling of security by WordPress was going well. But it isn’t. Even the core WordPress software has long known security issues that are not being fixed despite their involvement in lots of websites being hacked.

What seems to be the underlying problem is that WordPress lacks governance. Instead, relying on one person controlling everything, which isn’t working well.