[wp-forums] Security expert posting exploits

Otto otto at ottodestruct.com
Wed Jan 30 23:09:54 UTC 2013


On Wed, Jan 30, 2013 at 4:43 PM, Julio Potier - BoiteaWeb
<juliobosk at gmail.com> wrote:
> Whan i warn, i do not give the full expoit, i say "XSS, you have to
> sanitize" and "CSRF use nonce please", then if the author feign death, i
> mail plugins at wp.org but in major cases, the author is happy to be warned.

Saying that any sort of exploit even exists, publicly, is too far.

Telling the authors privately (email) is preferred. If there's no
response, or even if there is, telling plugins@ is a good thing too so
we can take the proper steps to protect users.

Posting anything at all about it in a public forum is just wrong...
until there is a fix available.

-Otto


More information about the wp-forums mailing list