[wp-meta] [Making WordPress.org] #5301: Is w.org and WordPress dropped security analysis, bug bounty support
Making WordPress.org
noreply at wordpress.org
Thu Jul 2 12:31:43 UTC 2020
#5301: Is w.org and WordPress dropped security analysis, bug bounty support
--------------------------------+--------------------
Reporter: KestutisIT | Owner: (none)
Type: defect | Status: new
Priority: high | Milestone:
Component: WordPress.org Site | Keywords:
--------------------------------+--------------------
Hi,
I'm really worried what's happening with WordPress. Are we running again
from security issues, trying to hide that, close forum topics and so on,
even if the goal of these topics is to inform others and stop the attack
and find roots, WITHOUT publishing the exact Vulnerability until it will
get patched?
I disagree with Steven Stern decision to close forum topic and to hide the
fact that newest WordPress is probably vulnerable or one if it's top
plugins at w.org:
https://wordpress.org/support/topic/wp-admin-wp-update-a-virus/
Also, I don't get the point - IS WORDPRESS IS FREE OR NOT. Why I am forced
to PAY to Sucury or WordFence specialists, and I'm not allowed to do
investigation with our own team and consult with community so we all
together find the way what was done, and how it was done, and then report
to WP Foundation or exact plugin/theme author, the vulnerability.
**Mr. Steven Stern treats our team as idiots** who just got hacked. But
that is **NOT TRUE** - we followed a dozen of security practices - there
was Installatron Auto-Updater, there is auto-backups systems in the
server, there is deep logging mechanism, there is BFM Bruteforce
Monitor+CSF Firewall, the Ubuntu Server and DirectAdmin is updated to
latest versions. Plugins/themes/WordPress if it was not updated, then it
was just for a month, not a year. And we still got hacked. The server is
in trusted datacenter, the database server is on separate server, so we a
pretty well-detecting. We have a national cyber security center (NKSC) in
our country that we reported to and we consult with. So we get more and
more information.
And if newest WordPress has a critical security risk, that MUST BE
INVESTIGATED without trying to shut the people down.
As this action what the Mr. Steven Stern did makes us try to feel, that if
we will track that Vulnerability we will just put a deface screen on W.org
- saying "Sorry, we asked for help, we wanted to investigate, but we were
shut down, so we are not reporting to everyone - top W.org plugins (or
WordPress has a critical security flaw).
I don't think that this is the best way to solve the problems. So I ask
again - re-open the forum topic, and allow us further investigate and
discuss. And then, when (if) we will discoved what is vulnerable - we will
report that in official way.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5301>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list