[wp-hackers] WordPress plugin inspections
K.Adam White
kadamwhite at gmail.com
Thu Feb 20 17:00:06 UTC 2014
As an example of an interesting way to handle crowd-sourcing security
reviews, check out what Github does with their Bug Bounty program:
https://bounty.github.com/
Basically, interested parties look for errors, report them to Github when
found, and get public credit and applause for finding the problem (and the
opportunity to disclose what they found) after it's been fixed.
K. Adam White
On Thu, Feb 20, 2014 at 11:50 AM, John <dailyrants at gmail.com> wrote:
> The community would be better served if you first contacted plugin authors
> and the maintainers of the WP plugin repo regarding security issues.
>
> If the door on your neighbor's shed was broken, making it easy for thieves
> to enter, would you first announce it to the whole community in a letter to
> the editor alongside an ad for your door repair services, or would you be
> Dudley Do-Right and tell your neighbor directly?
>
> If you've reviewed enough code to make the claims, you can certainly reveal
> specific vulnerabilities to the plugin authors and allow them to fix them.
> This is pretty much the way any open source community handles security
> issues. If you do enough of that, the money will come - if that's what you
> want.
>
> After a reasonable period of time after security updates have been released
> (or not in cases where plugin authors are unresponsive), the public service
> announcement could follow.
>
>
> On Thu, Feb 20, 2014 at 3:37 AM, Harry Metcalfe <harry at dxw.com> wrote:
>
> > Disappointingly, we'll perhaps have to agree to disagree.
> >
> > I think the site is a positive contribution to WordPress's security.
> > Hopefully, in time, we'll earn some trust. I'm not expecting that to be
> > instant. I don't think we're condemning anybody: we're pointing out
> issues
> > which are widely accepted to be indicative of problematic code.
> >
> > In the mean time, people are - of course - free to vote with their feet
> > and not visit the site. Or set up a better one.
> >
> > Harry
> >
> >
> > On 20/02/2014 01:05, Chris Williams wrote:
> >
> >> Let's see if I can summarize: you are using arbitrary criteria
> >> administered by people of unknown skill/experience and using the results
> >> to publicly condemn other people's work with an overly broad brush, and
> >> without any mechanism for recourse. The result has no positive
> benefits.
> >> It demeans the plugin authors and their work, and by reflection your
> firm
> >> and its work, raises alarm in the community you claim to support, and
> >> garners you no goodwill.
> >>
> >> I'm sorry, but given the train wreck this has become, my best advice is
> >> precisely that: stop doing it.
> >>
> >>
> >> On 2/19/14 1:32 PM, "Harry Metcalfe" <harry at dxw.com> wrote:
> >>
> >> But I do value the points you've made
> >>> and we will make some changes based upon then. I'd be keen to hear any
> >>> other feedback you might have later (short of "stop doing it"!)
> >>>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list