[wp-hackers] List etiquette
elharo at metalab.unc.edu
Thu Apr 20 17:43:24 GMT 2006
Ryan Duff wrote:
> Since you said that you tested and your proof of concept worked, it
> probably would have been better to directly send that information to
> Matt and Ryan Boren via the security at wordpress.org address.
I disagree. Security by obscurity is at best 1 out of 2. Because you
posted the proof of concept I was able to analyze it, understand it, and
figure out how to protect myself against the attack despite a huge
amount of misinformation that continues to be thrown around on this
list. If you hadn't posted the proof of concept, I still wouldn't
understand exactly what the problem is or how to prevent it.
The situation might be different if WordPress had a demonstrated record
of rapid fixes to security holes. However it doesn't. Security reports
tend to be trivialized, denied, and discarded. If bug fixes ever show
up, they're only for the absolute latest version leaving users of older
versions unprotected and exposed. Given that attitude, we're much better
off knowing as much as possible about any proposed exploit so we can
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
More information about the wp-hackers