[wp-hackers] WordPress plugin inspections
Chris Christoff
hello at chriscct7.com
Thu Feb 20 17:53:04 UTC 2014
-- Please reply above this line --
-----------------------------------------------------------
## Chris replied, on Feb 20 @ 1:52pm (AMT):
I think frankly, your entire business model is backwards. As opposed
to publishing reviews without even asking for clarification, you
should instead do what bugcrowd does. Get paid to find issues. That's
a service I know I for instance, would pay for. Why aren't you doing
something like that?
--
Chris Christoff
hello at chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:49pm (AMT):
Hi Chris,
I've agreed previously on this thread that "Unsafe to use" was too
categorical, and have changed that text to "Potentially unsafe".
We'll
continue to make changes to ensure we're being as clear and useful as
we
can.
On the rest of your post, we may have to agree to disagree. It is not
commercially viable for us, or anyone else, to do comprehensive code
reviews for free. It is not acceptable, in my opinion, that people
with
serious WordPress sites so frequently install plugins with no idea as
to
their quality or security. We're trying to help by giving people
enough
information to make slightly better decisions - for example, by
focusing
the resources they do have on more thorough examination of candidate
plugins that are most likely to be problematic.
I hope it's clear by now that I am committed to making this site and
process better, and I'm very happy to take criticism and feedback
that
helps us to improve. But I think, for now, for this thread, I won't
respond to more posts that say -- more or less -- "just don't do
this".
Because I think that what we're doing does more good than harm, even
with its imperfections.
Cheers,
Harry
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:41pm (AMT):
Again: you're announcing that the neighbor's shed *should be
condemned*
("unsafe to use"), based on "indications of badness, but no specific
vulnerabilities".
That is precisely where I have a problem with what you're doing.
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## Chris replied, on Feb 20 @ 1:39pm (AMT):
So basically, it sounds to me like after spending "much time" on a
(still unproven to be) comprehensive review, you can't simply Google
the name of the author, look their email up on their GitHub repo, or
plug their name into Twitter.
It seems your entire business is based on providing mediocre (at
best) subpar reviews, which are then published to the public to
encourage users to not use what very likely could be a perfectly fine
plugin (since the highly subjective criteria of the review doesn't
even sound, by your own account that comprehensive), and then not
alert the author before publishing. Then, when said author finds out,
they in essence have to purchase your service to get their plugin
re-reviewed since, by your own account while you'll review it for
free, you may or may not have the time, and a plugin author doesn't
want false reviews online for long. And since said reviews are done by
employees of unknown skill, the outcome of said review could just as
easily be determined by rolling a dice.
So basically an author has to pay to remove what could very likely be
slander from the internet.
It very well seems your entire business model boils down to
monetizing the practice of slander, correct?
Here is, based on your own account, what such a report could be:
Avoid at all costs security.dxw.com, it is ABSOLUTELY RIDDLED WITH
MALWARE (imagine that in a giant red banner). See, we didn't really
actually review the code of said site that well, or even at all. It
was done by someone who is still learning HTML, and while we didn't
really review it, there's a possibility it contains malware, even
though we haven't proven it to exist yet. Therefore, our firm
recommendation is to avoid said site at all costs until said author
pays me $1,000,000 to re-review his site.
--
Chris Christoff
hello at chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:24pm (AMT):
Hi John,
This - more or less - is exactly how we operate.
We have a look. If we see indications of badness, but no specific
vulnerabilities, we write that up and publish the inspection.
If we see vulnerabilities, we write up an advisory and disclose it
responsibly, exactly as you suggest (details:
https://security.dxw.com/disclosure/).
I don't think it is necessary to disclose in advance for an
inspection,
because we're not announcing that the neighbour's shed is broken.
We're
announcing that neighbour's shed's looking a bit old and tatty, and
that
people might not want to keep their stuff in it until it's fixed.
Quite a few people have suggested that we should reach out to plugin
authors, though. I am, in principle, happy to do that. But such a
mechanism would have to be at least partly automated, and we have no
private contact details for plugin authors. So, the best we could do
is
probably to have a bot that posts on people's forums. But that's more
notification than notice, and I'm not sure I'm comfortable with the
idea
of such a bot in any event.
If you have an idea for how we can reliably, semi-automatically give
authors notice, and then publish after some predefined time - I'm all
ears.
Harry
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Feb 20 @ 1:00pm (AMT):
As an example of an interesting way to handle crowd-sourcing security
reviews, check out what Github does with their Bug Bounty program:
https://bounty.github.com/
Basically, interested parties look for errors, report them to Github
when
found, and get public credit and applause for finding the problem
(and the
opportunity to disclose what they found) after it's been fixed.
K. Adam White
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
More information about the wp-hackers
mailing list