[wp-hackers] List etiquette

Matt Mullenweg m at mullenweg.com
Thu Apr 20 19:33:17 GMT 2006

Elliotte Harold wrote:
> I disagree. Security by obscurity is at best 1 out of 2. Because you 
> posted the proof of concept I was able to analyze it, understand it, and 
> figure out how to protect myself against the attack despite a huge 
> amount of misinformation that continues to be thrown around on this 
> list. If you hadn't posted the proof of concept, I still wouldn't 
> understand exactly what the problem is or how to prevent it.

Yes, but the main responsibility of developers is not to Elliotte 
Harold. Your selfish interests do not coincide with the WP community.

I also missed your patch on Trac.

Publishing line-by-line exploits or details about security 
vulnerabilities when we do a release would help crackers far more than 
our general user base, which is overwhelmingly non-technical. We get 
flak about it, but frankly I care far more about our non-savvy and more 
vulnerable users than security-blinded idealists.

This is not "security by obscurity," our source code, SVN diffs, and 
Trac tickets are entirely public, it's just common sense of trying to 
help your users more than script kiddies.

Firefox has a very similar approach.

Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com

More information about the wp-hackers mailing list