[wp-hackers] List etiquette

Elliotte Harold elharo at metalab.unc.edu
Thu Apr 20 17:43:24 GMT 2006


Ryan Duff wrote:

> Since you said that you tested and your proof of concept worked, it 
> probably would have been better to directly send that information to 
> Matt and Ryan Boren via the security at wordpress.org address.
> 


I disagree. Security by obscurity is at best 1 out of 2. Because you 
posted the proof of concept I was able to analyze it, understand it, and 
figure out how to protect myself against the attack despite a huge 
amount of misinformation that continues to be thrown around on this 
list. If you hadn't posted the proof of concept, I still wouldn't 
understand exactly what the problem is or how to prevent it.

The situation might be different if WordPress had a demonstrated record 
of rapid fixes to security holes. However it doesn't. Security reports 
tend to be trivialized, denied, and discarded. If bug fixes ever show 
up, they're only for the absolute latest version leaving users of older 
versions unprotected and exposed. Given that attitude, we're much better 
off knowing as much as possible about any proposed exploit so we can 
protect ourselves.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim


More information about the wp-hackers mailing list