Recently, the WPTavern ran a post that claimed that the WordPress security provider Wordfence had responsibly disclosed a couple of vulnerabilities in plugins. That claim seemed to be based on Wordfence claiming they responsibility disclosed the vulnerabilities in their own post, but further information in that post contradicted that, as they also claimed that before they even notified the developer of the plugin about the vulnerability, they had provided a firewall rule for the vulnerability for their paying customers. That isn’t responsible disclosure, as responsible disclosure involves notifying the developer first and giving them a chance to address the vulnerability, before notifying anyone else.

There isn’t any requirement that a security provider do responsible disclosure, but beyond the big problem of security lying about what they are doing when trust is such an important part of security, Wordfence has criticized others for not doing responsible disclosure. [Read more]