[wp-hackers] WordPress plugin inspections

Chip Bennett chip at chipbennett.net
Wed Feb 19 20:44:18 UTC 2014


For me, the incongruity happens when a "light touch review" leads to an
"Unsafe To Use" conclusion. I don't see how you can justify such a
conclusion without actually evaluating the code.


On Wed, Feb 19, 2014 at 3:40 PM, Harry Metcalfe <harry at dxw.com> wrote:

> Hi Josh,
>
> Thanks for the heads-up. I've had a quick look at the github issue - I'll
> reply to that feedback there.
>
> Regarding a private report - this isn't a vulnerability report. We do
> those too (see the Advisories section) and we have a disclosure policy for
> those which you can see here (https://security.dxw.com/disclosure/).
>
> Inspections are a very light touch thing, and we don't think they go into
> enough detail to be able to make categorical claims about vulnerability.
> The idea behind an inspection is to give a general sense of the sorts of
> issues which might exist. I'm about to reply to Chris's post with more
> explanation on that point.
>
> Harry
>
>
>
> On 19/02/2014 19:45, Josh Pollock wrote:
>
>> Harry-
>>
>> I am the community manager for Pods we were made aware of your evaluation
>> by a user who reported it in our GitHub issue tracker. Our leader
>> developer, Scott K. Clark, has responded to your claims, which we do not
>> consider to be fair, here:
>>
>> https://github.com/pods-framework/pods/issues/2043#issuecomment-35538379
>>
>> I would encourage you to contact the developers of plugins before
>> releasing
>> vulnerability reports. This sort of vague report doesn't help us improve
>> our plugin, something we are constantly doing based on input from users.
>> It
>> only serves to potentially confuse users.
>>
>> Take care,
>> Josh Pollock
>>
>>
>> On Wed, Feb 19, 2014 at 1:43 PM, Harry Metcalfe <harry at dxw.com> wrote:
>>
>>  Hello list,
>>>
>>> We write and publish light-touch inspections of WordPress plugins that we
>>> do for our clients. They are just a guide - we conduct some basic checks,
>>> not a thorough review.
>>>
>>> Would plugins which fail this inspection be of general interest to the
>>> list and therefore worth posting? Is the list also interested in
>>> vulnerability advisories, or do people tend to get those elsewhere?
>>>
>>> Here's an example report:
>>>
>>> https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>>>
>>> Grateful for a steer...
>>>
>>> Harry
>>>
>>>
>>> --
>>> Harry Metcalfe
>>> 07790 559 876
>>> @harrym
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>  _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list