[wp-hackers] WordPress plugin inspections

Chris Christoff hello at chriscct7.com
Thu Feb 20 17:39:32 UTC 2014


-- Please reply above this line --

-----------------------------------------------------------
## Chris replied, on Feb 20 @ 1:39pm (AMT):

So basically, it sounds to me like after spending "much time" on a
(still unproven to be) comprehensive review, you can't simply Google
the name of the author, look their email up on their GitHub repo, or
plug their name into Twitter.

 It seems your entire business is based on providing mediocre (at
best) subpar reviews, which are then published to the public to
encourage users to not use what very likely could be a perfectly fine
plugin (since the highly subjective criteria of the review doesn't
even sound, by your own account that comprehensive), and then not
alert the author before publishing. Then, when said author finds out,
they in essence have to purchase your service to get their plugin
re-reviewed since, by your own account while you'll review it for
free, you may or may not have the time, and a plugin author doesn't
want false reviews online for long. And since said reviews are done by
employees of unknown skill, the outcome of said review could just as
easily be determined by rolling a dice.

 So basically an author has to pay to remove what could very likely be
slander from the internet.
 It very well seems your entire business model boils down to
monetizing the practice of slander, correct?

 Here is, based on your own account, what such a report could be:
 Avoid at all costs security.dxw.com, it is ABSOLUTELY RIDDLED WITH
MALWARE (imagine that in a giant red banner). See, we didn't really
actually review the code of said site that well, or even at all. It
was done by someone who is still learning HTML, and while we didn't
really review it, there's a possibility it contains malware, even
though we haven't proven it to exist yet. Therefore, our firm
recommendation is to avoid said site at all costs until said author
pays me $1,000,000 to re-review his site.
--
Chris Christoff
hello at chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:24pm (AMT):

Hi John,

 This - more or less - is exactly how we operate.

 We have a look. If we see indications of badness, but no specific
 vulnerabilities, we write that up and publish the inspection.

 If we see vulnerabilities, we write up an advisory and disclose it
 responsibly, exactly as you suggest (details:
 https://security.dxw.com/disclosure/).

 I don't think it is necessary to disclose in advance for an
inspection,
 because we're not announcing that the neighbour's shed is broken.
We're
 announcing that neighbour's shed's looking a bit old and tatty, and
that
 people might not want to keep their stuff in it until it's fixed.

 Quite a few people have suggested that we should reach out to plugin
 authors, though. I am, in principle, happy to do that. But such a
 mechanism would have to be at least partly automated, and we have no
 private contact details for plugin authors. So, the best we could do
is
 probably to have a bot that posts on people's forums. But that's more
 notification than notice, and I'm not sure I'm comfortable with the
idea
 of such a bot in any event.

 If you have an idea for how we can reliably, semi-automatically give
 authors notice, and then publish after some predefined time - I'm all
ears.

 Harry

 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:00pm (AMT):

As an example of an interesting way to handle crowd-sourcing security
 reviews, check out what Github does with their Bug Bounty program:
 https://bounty.github.com/

 Basically, interested parties look for errors, report them to Github
when
 found, and get public credit and applause for finding the problem
(and the
 opportunity to disclose what they found) after it's been fixed.

 K. Adam White

 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 12:50pm (AMT):

The community would be better served if you first contacted plugin
authors
 and the maintainers of the WP plugin repo regarding security issues.

 If the door on your neighbor's shed was broken, making it easy for
thieves
 to enter, would you first announce it to the whole community in a
letter to
 the editor alongside an ad for your door repair services, or would
you be
 Dudley Do-Right and tell your neighbor directly?

 If you've reviewed enough code to make the claims, you can certainly
reveal
 specific vulnerabilities to the plugin authors and allow them to fix
them.
 This is pretty much the way any open source community handles
security
 issues. If you do enough of that, the money will come - if that's
what you
 want.

 After a reasonable period of time after security updates have been
released
 (or not in cases where plugin authors are unresponsive), the public
service
 announcement could follow.

 > Disappointingly, we'll perhaps have to agree to disagree.
 >
 > I think the site is a positive contribution to WordPress's
security.
 > Hopefully, in time, we'll earn some trust. I'm not expecting
that to be
 > instant. I don't think we're condemning anybody: we're pointing
out issues
 > which are widely accepted to be indicative of problematic code.
 >
 > In the mean time, people are - of course - free to vote with
their feet
 > and not visit the site. Or set up a better one.
 >
 > Harry
 >
 >
 >
 >> Let's see if I can summarize: you are using arbitrary
criteria
 >> administered by people of unknown skill/experience and
using the results
 >> to publicly condemn other people's work with an overly
broad brush, and
 >> without any mechanism for recourse. The result has no
positive benefits.
 >> It demeans the plugin authors and their work, and by
reflection your firm
 >> and its work, raises alarm in the community you claim to
support, and
 >> garners you no goodwill.
 >>
 >> I'm sorry, but given the train wreck this has become, my
best advice is
 >> precisely that: stop doing it.
 >>
 >>
 >>
 >> But I do value the points you've made
 >>> and we will make some changes based upon then. I'd be
keen to hear any
 >>> other feedback you might have later (short of "stop
doing it"!)
 >>>
 >> _______________________________________________
 >> wp-hackers mailing list
 >> wp-hackers at lists.automattic.com
 >> http://lists.automattic.com/mailman/listinfo/wp-hackers
 >>
 >
 > _______________________________________________
 > wp-hackers mailing list
 > wp-hackers at lists.automattic.com
 > http://lists.automattic.com/mailman/listinfo/wp-hackers
 >
 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 8:08am (AMT):

On Thu, 20 Feb 2014 08:37:55 +0000

 > Disappointingly, we'll perhaps have to agree to disagree.
 >
 > I think the site is a positive contribution to WordPress's
security.
 > Hopefully, in time, we'll earn some trust. I'm not expecting
that to
 > be instant. I don't think we're condemning anybody: we're
pointing
 > out issues which are widely accepted to be indicative of
problematic
 > code.
 >
 > In the mean time, people are - of course - free to vote with
their
 > feet and not visit the site. Or set up a better one.

 Do you contact the developers privately about your findings before
 posting them to the public?

 --
 Peter van der Does

 GPG key: CB317D6E

 Site: http://avirtualhome.com
 GitHub: https://github.com/petervanderdoes
 Twitter: @petervanderdoes

 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 4:38am (AMT):

Disappointingly, we'll perhaps have to agree to disagree.

 I think the site is a positive contribution to WordPress's security.
 Hopefully, in time, we'll earn some trust. I'm not expecting that to
be
 instant. I don't think we're condemning anybody: we're pointing out
 issues which are widely accepted to be indicative of problematic
code.

 In the mean time, people are - of course - free to vote with their
feet
 and not visit the site. Or set up a better one.

 Harry

 > Let's see if I can summarize: you are using arbitrary criteria
 > administered by people of unknown skill/experience and using
the results
 > to publicly condemn other people's work with an overly broad
brush, and
 > without any mechanism for recourse. The result has no positive
benefits.
 > It demeans the plugin authors and their work, and by reflection
your firm
 > and its work, raises alarm in the community you claim to
support, and
 > garners you no goodwill.
 >
 > I'm sorry, but given the train wreck this has become, my best
advice is
 > precisely that: stop doing it.
 >
 >
 >
 >> But I do value the points you've made
 >> and we will make some changes based upon then. I'd be keen
to hear any
 >> other feedback you might have later (short of "stop doing
it"!)
 > _______________________________________________
 > wp-hackers mailing list
 > wp-hackers at lists.automattic.com
 > http://lists.automattic.com/mailman/listinfo/wp-hackers

 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------



More information about the wp-hackers mailing list