[wp-hackers] WordPress plugin inspections
Chris Christoff
hello at chriscct7.com
Thu Feb 20 17:39:32 UTC 2014
-- Please reply above this line --
-----------------------------------------------------------
## Chris replied, on Feb 20 @ 1:39pm (AMT):
So basically, it sounds to me like after spending "much time" on a
(still unproven to be) comprehensive review, you can't simply Google
the name of the author, look their email up on their GitHub repo, or
plug their name into Twitter.
It seems your entire business is based on providing mediocre (at
best) subpar reviews, which are then published to the public to
encourage users to not use what very likely could be a perfectly fine
plugin (since the highly subjective criteria of the review doesn't
even sound, by your own account that comprehensive), and then not
alert the author before publishing. Then, when said author finds out,
they in essence have to purchase your service to get their plugin
re-reviewed since, by your own account while you'll review it for
free, you may or may not have the time, and a plugin author doesn't
want false reviews online for long. And since said reviews are done by
employees of unknown skill, the outcome of said review could just as
easily be determined by rolling a dice.
So basically an author has to pay to remove what could very likely be
slander from the internet.
It very well seems your entire business model boils down to
monetizing the practice of slander, correct?
Here is, based on your own account, what such a report could be:
Avoid at all costs security.dxw.com, it is ABSOLUTELY RIDDLED WITH
MALWARE (imagine that in a giant red banner). See, we didn't really
actually review the code of said site that well, or even at all. It
was done by someone who is still learning HTML, and while we didn't
really review it, there's a possibility it contains malware, even
though we haven't proven it to exist yet. Therefore, our firm
recommendation is to avoid said site at all costs until said author
pays me $1,000,000 to re-review his site.
--
Chris Christoff
hello at chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:24pm (AMT):
Hi John,
This - more or less - is exactly how we operate.
We have a look. If we see indications of badness, but no specific
vulnerabilities, we write that up and publish the inspection.
If we see vulnerabilities, we write up an advisory and disclose it
responsibly, exactly as you suggest (details:
https://security.dxw.com/disclosure/).
I don't think it is necessary to disclose in advance for an
inspection,
because we're not announcing that the neighbour's shed is broken.
We're
announcing that neighbour's shed's looking a bit old and tatty, and
that
people might not want to keep their stuff in it until it's fixed.
Quite a few people have suggested that we should reach out to plugin
authors, though. I am, in principle, happy to do that. But such a
mechanism would have to be at least partly automated, and we have no
private contact details for plugin authors. So, the best we could do
is
probably to have a bot that posts on people's forums. But that's more
notification than notice, and I'm not sure I'm comfortable with the
idea
of such a bot in any event.
If you have an idea for how we can reliably, semi-automatically give
authors notice, and then publish after some predefined time - I'm all
ears.
Harry
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:00pm (AMT):
As an example of an interesting way to handle crowd-sourcing security
reviews, check out what Github does with their Bug Bounty program:
https://bounty.github.com/
Basically, interested parties look for errors, report them to Github
when
found, and get public credit and applause for finding the problem
(and the
opportunity to disclose what they found) after it's been fixed.
K. Adam White
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 12:50pm (AMT):
The community would be better served if you first contacted plugin
authors
and the maintainers of the WP plugin repo regarding security issues.
If the door on your neighbor's shed was broken, making it easy for
thieves
to enter, would you first announce it to the whole community in a
letter to
the editor alongside an ad for your door repair services, or would
you be
Dudley Do-Right and tell your neighbor directly?
If you've reviewed enough code to make the claims, you can certainly
reveal
specific vulnerabilities to the plugin authors and allow them to fix
them.
This is pretty much the way any open source community handles
security
issues. If you do enough of that, the money will come - if that's
what you
want.
After a reasonable period of time after security updates have been
released
(or not in cases where plugin authors are unresponsive), the public
service
announcement could follow.
> Disappointingly, we'll perhaps have to agree to disagree.
>
> I think the site is a positive contribution to WordPress's
security.
> Hopefully, in time, we'll earn some trust. I'm not expecting
that to be
> instant. I don't think we're condemning anybody: we're pointing
out issues
> which are widely accepted to be indicative of problematic code.
>
> In the mean time, people are - of course - free to vote with
their feet
> and not visit the site. Or set up a better one.
>
> Harry
>
>
>
>> Let's see if I can summarize: you are using arbitrary
criteria
>> administered by people of unknown skill/experience and
using the results
>> to publicly condemn other people's work with an overly
broad brush, and
>> without any mechanism for recourse. The result has no
positive benefits.
>> It demeans the plugin authors and their work, and by
reflection your firm
>> and its work, raises alarm in the community you claim to
support, and
>> garners you no goodwill.
>>
>> I'm sorry, but given the train wreck this has become, my
best advice is
>> precisely that: stop doing it.
>>
>>
>>
>> But I do value the points you've made
>>> and we will make some changes based upon then. I'd be
keen to hear any
>>> other feedback you might have later (short of "stop
doing it"!)
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 8:08am (AMT):
On Thu, 20 Feb 2014 08:37:55 +0000
> Disappointingly, we'll perhaps have to agree to disagree.
>
> I think the site is a positive contribution to WordPress's
security.
> Hopefully, in time, we'll earn some trust. I'm not expecting
that to
> be instant. I don't think we're condemning anybody: we're
pointing
> out issues which are widely accepted to be indicative of
problematic
> code.
>
> In the mean time, people are - of course - free to vote with
their
> feet and not visit the site. Or set up a better one.
Do you contact the developers privately about your findings before
posting them to the public?
--
Peter van der Does
GPG key: CB317D6E
Site: http://avirtualhome.com
GitHub: https://github.com/petervanderdoes
Twitter: @petervanderdoes
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 4:38am (AMT):
Disappointingly, we'll perhaps have to agree to disagree.
I think the site is a positive contribution to WordPress's security.
Hopefully, in time, we'll earn some trust. I'm not expecting that to
be
instant. I don't think we're condemning anybody: we're pointing out
issues which are widely accepted to be indicative of problematic
code.
In the mean time, people are - of course - free to vote with their
feet
and not visit the site. Or set up a better one.
Harry
> Let's see if I can summarize: you are using arbitrary criteria
> administered by people of unknown skill/experience and using
the results
> to publicly condemn other people's work with an overly broad
brush, and
> without any mechanism for recourse. The result has no positive
benefits.
> It demeans the plugin authors and their work, and by reflection
your firm
> and its work, raises alarm in the community you claim to
support, and
> garners you no goodwill.
>
> I'm sorry, but given the train wreck this has become, my best
advice is
> precisely that: stop doing it.
>
>
>
>> But I do value the points you've made
>> and we will make some changes based upon then. I'd be keen
to hear any
>> other feedback you might have later (short of "stop doing
it"!)
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
More information about the wp-hackers
mailing list