[wp-hackers] List etiquette
ryan at ryanduff.net
Thu Apr 20 19:17:15 GMT 2006
Elliotte Harold wrote:
> Ryan Duff wrote:
>> Since you said that you tested and your proof of concept worked, it
>> probably would have been better to directly send that information to
>> Matt and Ryan Boren via the security at wordpress.org address.
> I disagree. Security by obscurity is at best 1 out of 2. Because you
> posted the proof of concept I was able to analyze it, understand it, and
> figure out how to protect myself against the attack despite a huge
> amount of misinformation that continues to be thrown around on this
> list. If you hadn't posted the proof of concept, I still wouldn't
> understand exactly what the problem is or how to prevent it.
> The situation might be different if WordPress had a demonstrated record
> of rapid fixes to security holes. However it doesn't. Security reports
> tend to be trivialized, denied, and discarded. If bug fixes ever show
> up, they're only for the absolute latest version leaving users of older
> versions unprotected and exposed. Given that attitude, we're much better
> off knowing as much as possible about any proposed exploit so we can
> protect ourselves.
I was not giving you a right vs wrong. I was just answering your
question on list etiquette. My statement was based off previous emails
and was "filling you in". I agree security by obscurity is not the best
way, some other people don't.
irc.freenode.net #wordpress #plogger
More information about the wp-hackers