A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence had known about the vulnerability, but hadn’t made sure the plugin was removed. While checking into a claimed vulnerability to add it to our data set, we found another instance of that, which is more troubling.

In February, a Wordfence employee named Chloe Chamberland wrote a strange post on Wordfence’s blog that claimed in the headline, “the WordPress ecosystem is becoming more secure with responsible disclosure becoming More Common”. It is strange because the body of the post never mentions the phrase responsible disclosure or makes any mention of it. Instead, the author seems to be trying to suggest that doing something other than responsible disclosure is responsible disclosure. Responsible disclosure involves notifying a developer of a vulnerability and giving them a chance to resolve it, before notifying anyone else. The post is actually suggesting directing reporting of vulnerabilities in WordPress plugins away from the developers and WordPress: [Read more]