[wp-hackers] WordPress plugin inspections

Jamie Currie jamie at wunderdojo.com
Wed Feb 19 20:50:41 UTC 2014


I totally understand the particular criticisms being made here, and 
agree 100% that if you're going to put out a review it should be 
thorough, transparent, have an ability for redress, etc.

Still, I think the basic concept has merit. Right now plugins are a bit 
like Russian Roulette -- install one, cross fingers, see what happens to 
site. And for those who don't program or have limited knowledge you're 
really taking a chance because you truly have to trust that what you're 
installing isn't introducing vulnerabilities that you'd have no way of 
discovering or remedying.

If I put out a plugin I'd love to have people on this list tear it apart 
so that I can improve it. And I'd love to see some sort of a good 
housekeeping seal for plugins that have undergone a more rigorous 
evaluation.

I haven't released any of my plugins publicly thus far -- they've all 
been for private client projects -- but I do have a handful I hope to 
put out this year. But as it stands, I have no skin in this game, just 
chipping in my opinion.


Jamie Currie
Founder / CEO
wunderdojo
wunderdojo.com
tel: 949-734-0758
1840 Park Newport, #409
Newport Beach, CA 92660
Master web & app developers




------ Original Message ------
From: "Harry Metcalfe" <harry at dxw.com>
To: wp-hackers at lists.automattic.com
Sent: 2/19/2014 12:40:45 PM
Subject: Re: [wp-hackers] WordPress plugin inspections
>Hi Josh,
>
>Thanks for the heads-up. I've had a quick look at the github issue - 
>I'll reply to that feedback there.
>
>Regarding a private report - this isn't a vulnerability report. We do 
>those too (see the Advisories section) and we have a disclosure policy 
>for those which you can see here 
>(https://security.dxw.com/disclosure/).
>
>Inspections are a very light touch thing, and we don't think they go 
>into enough detail to be able to make categorical claims about 
>vulnerability. The idea behind an inspection is to give a general sense 
>of the sorts of issues which might exist. I'm about to reply to Chris's 
>post with more explanation on that point.
>
>Harry
>
>
>On 19/02/2014 19:45, Josh Pollock wrote:
>>Harry-
>>
>>I am the community manager for Pods we were made aware of your 
>>evaluation
>>by a user who reported it in our GitHub issue tracker. Our leader
>>developer, Scott K. Clark, has responded to your claims, which we do 
>>not
>>consider to be fair, here:
>>
>>https://github.com/pods-framework/pods/issues/2043#issuecomment-35538379
>>
>>I would encourage you to contact the developers of plugins before 
>>releasing
>>vulnerability reports. This sort of vague report doesn't help us 
>>improve
>>our plugin, something we are constantly doing based on input from 
>>users. It
>>only serves to potentially confuse users.
>>
>>Take care,
>>Josh Pollock
>>
>>
>>On Wed, Feb 19, 2014 at 1:43 PM, Harry Metcalfe <harry at dxw.com> wrote:
>>
>>>Hello list,
>>>
>>>We write and publish light-touch inspections of WordPress plugins 
>>>that we
>>>do for our clients. They are just a guide - we conduct some basic 
>>>checks,
>>>not a thorough review.
>>>
>>>Would plugins which fail this inspection be of general interest to 
>>>the
>>>list and therefore worth posting? Is the list also interested in
>>>vulnerability advisories, or do people tend to get those elsewhere?
>>>
>>>Here's an example report:
>>>
>>>https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>>>
>>>Grateful for a steer...
>>>
>>>Harry
>>>
>>>
>>>--
>>>Harry Metcalfe
>>>07790 559 876
>>>@harrym
>>>
>>>_______________________________________________
>>>wp-hackers mailing list
>>>wp-hackers at lists.automattic.com
>>>http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>_______________________________________________
>>wp-hackers mailing list
>>wp-hackers at lists.automattic.com
>>http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list