[wp-hackers] WordPress plugin inspections

John dailyrants at gmail.com
Thu Feb 20 16:50:01 UTC 2014

The community would be better served if you first contacted plugin authors
and the maintainers of the WP plugin repo regarding security issues.

If the door on your neighbor's shed was broken, making it easy for thieves
to enter, would you first announce it to the whole community in a letter to
the editor alongside an ad for your door repair services, or would you be
Dudley Do-Right and tell your neighbor directly?

If you've reviewed enough code to make the claims, you can certainly reveal
specific vulnerabilities to the plugin authors and allow them to fix them.
This is pretty much the way any open source community handles security
issues. If you do enough of that, the money will come - if that's what you

After a reasonable period of time after security updates have been released
(or not in cases where plugin authors are unresponsive), the public service
announcement could follow.

On Thu, Feb 20, 2014 at 3:37 AM, Harry Metcalfe <harry at dxw.com> wrote:

> Disappointingly, we'll perhaps have to agree to disagree.
> I think the site is a positive contribution to WordPress's security.
> Hopefully, in time, we'll earn some trust. I'm not expecting that to be
> instant. I don't think we're condemning anybody: we're pointing out issues
> which are widely accepted to be indicative of problematic code.
> In the mean time, people are - of course - free to vote with their feet
> and not visit the site. Or set up a better one.
> Harry
> On 20/02/2014 01:05, Chris Williams wrote:
>> Let's see if I can summarize: you are using arbitrary criteria
>> administered by people of unknown skill/experience and using the results
>> to publicly condemn other people's work with an overly broad brush, and
>> without any mechanism for recourse.  The result has no positive benefits.
>> It demeans the plugin authors and their work, and by reflection your firm
>> and its work, raises alarm in the community you claim to support, and
>> garners you no goodwill.
>> I'm sorry, but given the train wreck this has become, my best advice is
>> precisely that: stop doing it.
>> On 2/19/14 1:32 PM, "Harry Metcalfe" <harry at dxw.com> wrote:
>>  But I do value the points you've made
>>> and we will make some changes based upon then. I'd be keen to hear any
>>> other feedback you might have later (short of "stop doing it"!)
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list