[wp-hackers] WP 3.0.1 Multiple Sites -- SQL Injection Vulnerability

Andrew Nacin wp at andrewnacin.com
Sat Oct 9 03:15:11 UTC 2010

On Fri, Oct 8, 2010 at 9:11 PM, Jason Webster <jason at intraffic.net> wrote:

> Lame. If it were actually a security problem, individuals can react wayy
> faster than the core team to fix their sites.

That is against the concept of "responsible disclosure" of security
vulnerabilities in *any* software. That is, that the vendor should be first
contacted confidentially, to allow for a timely fix and, if necessary, a new

With regards to who can react faster, I'm not so sure about that. Perhaps
you know enough about core to be able to diagnose, not to mention fix, but
it is a serious disservice to millions of other users. We're concerned about
zero-day exploits, and that turns into a race to fix the vulnerability. Once
it is made public, the cat is out of the bag.

To provide some insight on how we function here, any email to
security/wordpress/org is quickly reviewed by a number of developers around
the world. If necessary, we will immediately get together in a private
communication channel to discuss the problem, and if further necessary, we
will devise, test, and commit a solution. We can get a new WordPress version
ready for download just as quickly.


More information about the wp-hackers mailing list