When it comes to the inappropriate behavior on the part of the moderators of the WordPress Support Forum that lead to us full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up one thing that stands out is how strange so much of it is. If the moderators were, say, being paid off to delete reviews of plugins you could understand the motive behind it, but with what is going on so much is head scratching. Why would a moderator delete a reply just saying thank you, which is something that we have run across moderators recently as well as years ago. So it probably isn’t surprising that the first direct response from someone on the WordPress side of things to our protest doesn’t even really make sense.

That comes from one of the problematic moderators and starts with this:

@pluginvulns We play this silly game. You post in the #WordPress forums in a way that violates the rules. We remove your post and notify the plugins team. The plugins team acts on your report. Why not just email plugins directly? More efficient for all of us.

— Steve Stern (@sds52) December 12, 2018

That would make sense if we doing all this with a mistaken belief that doing things that way was more efficient to report vulnerabilities instead, but that isn’t the case at all or even close to be related to to what is going. How this person wouldn’t understand that is really hard to understand as we have a standardized message we leave on the Support Forum when mentioning that we have disclosed a vulnerability and it starts with this:

Due to the moderators of this forum continued refusal to operate in an appropriate fashion we have started full disclosing security vulnerabilities and only notifying developers of those disclosures through this forum.

Why that person would think that we are doing this for some entirely different is hard to understand (though it seems like it might not be the first time our clear explanation has been totally ignored). We also explain the same thing on each post for these full disclosures of vulnerabilities.

As for that being argument what we are doing it makes no more sense.

Making things less efficient for the people on the WordPress side of things wouldn’t be a negative for us since we are trying to get them to change their behavior and that would incentivize them to change, so that wouldn’t be a good reason for us to stop.

This process is actually more efficient for us then the reasonable disclosure we previously did and we would go back to if the inappropriate behavior stopped. With that process we have to spend a lot of time with the developers of plugins and it isn’t always in a productive fashion. For example, have to deal with developers arguing there isn’t a vulnerability instead of just working with us to get it fixed. And there are sometimes where we are sitting on knowledge of a vulnerability for a month because we were told that a vulnerability would be fixed in that window and it isn’t. In the meantime our customers that are paying to be alerted about vulnerabilities are left in the dark. Making things, when we hopefully can go back to reasonable disclosures, more problematic is that many of the vulnerabilities we are discovering now are things that our automated tool, the Plugin Security Checker, also flags the possibility of, which makes sitting on vulnerabilities more concerning. Full disclosure certainly has big downsides as well, but it does make our job easier.

Not surprisingly considering the track record of the moderators getting things wrong frequently, another part of the tweet isn’t true. It also speaks to the fact that what we are doing is actually more efficient for us, since actually dealing with vulnerabilities all the way through is difficult (and made more difficult when the moderators get in the way of doing that). Here is the claim:

[we] notify the plugins team. The plugins team acts on your report.

The reality is that frequently somewhere in that process things are going wrong. Take the arbitrary file viewing vulnerability we disclosed a couple of days ago in the plugin WebP Express. The vulnerability still exists in the plugin and is still in the Plugin Directory despite it looking like hackers are already moving to exploit it. That is far from the only vulnerability that hasn’t been dealt with. Amazingly in our replies to the moderator we pointed out that vulnerability was being exploited and yet a day later still nothing has been done (these people really don’t seem to care about security, unless it is to get in the way of others trying to properly deal with them).

In our replies we had also mentioned the other points made above. You would think the moderator would try to dispute that they are acting inappropriately or counter something we said, but instead there was another response that seems completely unrelated to what is actually going on:

It would be better if you'd just email the plugins team yourselves and follow the forums' disclosure rules. Just sayin'.

— Steve Stern (@sds52) December 12, 2018

In response we pointed out that part of the inappropriate behavior is there breaking the rules of the Support Forum that they are supposed to be enforcing and that there is an easy way for this to stop, as soon as moderators stop acting inappropriately, we stop what we have been doing, which led to this response:

<sigh>

— Steve Stern (@sds52) December 12, 2018

Those message from that moderator seem to go a long way to explain the mess anyone trying to interact in the Support Forum has to deal with since you have the people that moderate it who seem to have a distinct lack of ability to pay attention what they are getting involved in whatsoever.