[wp-hackers] List etiquette

Ryan Duff ryan at ryanduff.net
Thu Apr 20 19:17:15 GMT 2006

Elliotte Harold wrote:
> Ryan Duff wrote:
>> Since you said that you tested and your proof of concept worked, it 
>> probably would have been better to directly send that information to 
>> Matt and Ryan Boren via the security at wordpress.org address.
> I disagree. Security by obscurity is at best 1 out of 2. Because you 
> posted the proof of concept I was able to analyze it, understand it, and 
> figure out how to protect myself against the attack despite a huge 
> amount of misinformation that continues to be thrown around on this 
> list. If you hadn't posted the proof of concept, I still wouldn't 
> understand exactly what the problem is or how to prevent it.
> The situation might be different if WordPress had a demonstrated record 
> of rapid fixes to security holes. However it doesn't. Security reports 
> tend to be trivialized, denied, and discarded. If bug fixes ever show 
> up, they're only for the absolute latest version leaving users of older 
> versions unprotected and exposed. Given that attitude, we're much better 
> off knowing as much as possible about any proposed exploit so we can 
> protect ourselves.

I was not giving you a right vs wrong. I was just answering your 
question on list etiquette. My statement was based off previous emails 
and was "filling you in". I agree security by obscurity is not the best 
way, some other people don't.

Ryan Duff
AIM: ryancduff
irc.freenode.net #wordpress #plogger

More information about the wp-hackers mailing list