[wp-meta] [Making WordPress.org] #5301: Is w.org and WordPress dropped security analysis, bug bounty support

Making WordPress.org noreply at wordpress.org
Thu Jul 2 12:31:43 UTC 2020

#5301: Is w.org and WordPress dropped security analysis, bug bounty support
 Reporter:  KestutisIT          |      Owner:  (none)
     Type:  defect              |     Status:  new
 Priority:  high                |  Milestone:
Component:  WordPress.org Site  |   Keywords:
 I'm really worried what's happening with WordPress. Are we running again
 from security issues, trying to hide that, close forum topics and so on,
 even if the goal of these topics is to inform others and stop the attack
 and find roots, WITHOUT publishing the exact Vulnerability until it will
 get patched?

 I disagree with Steven Stern decision to close forum topic and to hide the
 fact that newest WordPress is probably vulnerable or one if it's top
 plugins at w.org:

 Also, I don't get the point - IS WORDPRESS IS FREE OR NOT. Why I am forced
 to PAY to Sucury or WordFence specialists, and I'm not allowed to do
 investigation with our own team and consult with community so we all
 together find the way what was done, and how it was done, and then report
 to WP Foundation or exact plugin/theme author, the vulnerability.

 **Mr. Steven Stern treats our team as idiots** who just got hacked. But
 that is **NOT TRUE** - we followed a dozen of security practices - there
 was Installatron Auto-Updater, there is auto-backups systems in the
 server, there is deep logging mechanism, there is BFM Bruteforce
 Monitor+CSF Firewall, the Ubuntu Server and DirectAdmin is updated to
 latest versions. Plugins/themes/WordPress if it was not updated, then it
 was just for a month, not a year. And we still got hacked. The server is
 in trusted datacenter, the database server is on separate server, so we a
 pretty well-detecting. We have a national cyber security center (NKSC) in
 our country that we reported to and we consult with. So we get more and
 more information.

 And if newest WordPress has a critical security risk, that MUST BE
 INVESTIGATED without trying to shut the people down.

 As this action what the Mr. Steven Stern did makes us try to feel, that if
 we will track that Vulnerability we will just put a deface screen on W.org
 - saying "Sorry, we asked for help, we wanted to investigate, but we were
 shut down, so we are not reporting to everyone - top W.org plugins (or
 WordPress has a critical security flaw).

 I don't think that this is the best way to solve the problems. So I ask
 again - re-open the forum topic, and allow us further investigate and
 discuss. And then, when (if) we will discoved what is vulnerable - we will
 report that in official way.

Ticket URL: <https://meta.trac.wordpress.org/ticket/5301>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list