[wp-forums] Security expert posting exploits

Mika A Epstein ipstenu at ipstenu.org
Wed Jan 30 23:01:57 UTC 2013 

Julio, it's an issue of public vs private disclosure.

If you tell everyone 'hey, there's a XSS here!' then you're making a 
possible expliot public, and that just isn't cool.

The BEST thing is to tell the devs private, if at all possible. Most of 
them have their URLs in the readme.txt, and generally we have contact 
pages ;)

Either way, always email plugins at wordpress.org so I can hit them with a 
hammer.

Julio Potier - BoiteaWeb wrote:
>
> Thank you again.
>
> Whan i warn, i do not give the full expoit, i say "XSS, you have to
> sanitize" and "CSRF use nonce please", then if the author feign death, i
> mail plugins at wp.org but in major cases, the author is happy to be warned.
>
> Have a nice day/night
>
> *Julio POTIER
> BLOG.boiteaweb.fr<http://blog.boiteaweb.fr>*
> *SECU.boiteaweb.fr<http://secu.boiteaweb.fr/>*
> *"La sécurité, c'est notre métier*"
>
> Tél : 06 89 38 19 04
> Twitter : @BoiteaWeb<http://twitter.com/#%21/boiteaweb>
> Skype : *julio.boiteaweb*
>
>
> 2013/1/30 Jan Dembowski<jan at dembowski.net>
>
>>
>> Good Evening Julio! I was sure that you subscribed to this list.
>>
>> I personally do not have any issue with your posting plugin notifications
>> like that. Others may chime in in that topic. ;)
>>
>> If it's a critical plugin vulnerability then yes, please report the issue
>> to plugins at wordpress.org. I think you can tell the difference between XSS
>> and being able to write and execute arbitrary code on demand on a 
>> WordPress
>> installation...
>>
>> The hire proposal was the "Not Good" part and I'm glad you won't do it
>> again.
>>
>> Thanks,
>>
>> Jan Dembowski
>>
>> On Wed, Jan 30, 2013 at 5:28 PM, Julio Potier - BoiteaWeb<
>> juliobosk at gmail.com> wrote:
>>
>>>
>>> Hello
>>>
>>> In past, "you" told me that i can post it to the author, then to
>>> plugins at wp.org, now do not post, for real, what is the thing ?
>>>
>>> For the hire proposal, sorry, i won't do it again.
>>>
>>> Thank you
>>>
>>> 2013/1/30 Jan Dembowski<jan at dembowski.net>
>>>
>>>>
>>>> On Wed, Jan 30, 2013 at 5:09 PM, Mark Ratledge wrote:
>>>>
>>>>>
>>>>> User "I'm Julio Potier, Web Security Consultant and WordPress Expert
>>>>
>>>
>>
>> "
>>>
>>> is
>>>>
>>>>>
>>>>> posting that plugins have security holes, i.e.
>>>>> http://wordpress.org/support/topic/security-issue-22?replies=1
>>>>> http://wordpress.org/support/topic/security-flaws?replies=1
>>>>>
>>>>
>>>> He does that. I think I've asked him in the past to contact that plugin
>>>> authors more directly and he'd replied that the plugin author is not
>>>> reachable. Just publicly notifying like that isn't bad really IMHO.
>>>>
>>>>
>>>>>
>>>>> and posting for hire
>>>>>
>>>>
>>>
>>
>> http://wordpress.org/support/topic/my-website-is-showing-hacked-message-what-should-i-do?replies=3&view=all
>>>
>>>>
>>>>>
>>>>> http://wordpress.org/support/profile/juliobox
>>>>
>>>>
>>>> Now THAT'S bad and I've b'coded his account for now.
>>>>
>>>> He didn't even try to post the standard "what to do if you've been
>>>
>>> hacked"
>>>>
>>>> reply. It's a self-help forum and while we do sometimes reply with
>>>
>>
>> "seek
>>>
>>>>
>>>> professional help" he really should have at least made the effort first
>>>> instead of zipping in "i'm Web Security Consultant, you can hire me".
>>>>
>>>> I think this came up a couple of days ago and I agree with Mika: trying
>>>
>>> to
>>>>
>>>> help people out and pointing out that you do that sort of work is
>>>> not necessarily a bad thing. But you really need to assist in the
>>>
>>
>> forums
>>>
>>>>
>>>> first or at least exhaust some of the self-help alternatives. It's not
>>>
>>> just
>>>>
>>>> going through the motions, the volunteer work should be primary and
>>>> self-promotion a distant second.
>>>>
>>>> Thanks,
>>>>
>>>> Jan Dembowski
>>>> _______________________________________________
>>>> wp-forums mailing list
>>>> wp-forums at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-forums
>>>>
>>>
>>> _______________________________________________
>>> wp-forums mailing list
>>> wp-forums at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-forums
>>>
>>
>> _______________________________________________
>> wp-forums mailing list
>> wp-forums at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-forums
>>
>
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums

More information about the wp-forums mailing list