With our service you get alerted if any of the WordPress plugins you have installed have a vulnerability in the installed version. You can also see what vulnerabilities they have had in other versions, which is something you might use to determine if you should continue you using it. The problem with trying to do that is that isn’t always easy. If you are not dealing with this type of thing on a regular basis there is good chance you wouldn’t have the knowledge as to what security issues are of little concern and what ones are a major concern going forward. You also would have dig in to see if the developer has a pattern of not responding in a timely fashion when a vulnerability is discovered, which can have a significant impact on whether the vulnerability will get exploited. Since we already come in contact with that type of information, we thought it would be useful to start using the knowledge we are collecting to make it easier to find out if security practices of plugin developers are lacking by putting out advisories for developers that have serious issues.

The idea for this also came up because unfortunately we are seeing developers who are doing a really bad job at making sure their plugins are secure. The first advisories we released involves a company that has not been taking basic security measures, had a really serious vulnerability in one their plugins,  doesn’t respond in a timely manner when contacted about security issues, and takes weeks to fix them. The subject of the second one has repeatedly only fixed part of the security issues reported to them. [Read more]