[wp-meta] [Making WordPress.org] #5301: Is w.org and WordPress dropped security analysis, bug bounty support

Making WordPress.org noreply at wordpress.org
Thu Jul 2 13:30:05 UTC 2020 

#5301: Is w.org and WordPress dropped security analysis, bug bounty support
--------------------------------+----------------------
 Reporter:  KestutisIT          |       Owner:  (none)
     Type:  defect              |      Status:  closed
 Priority:  normal              |   Milestone:
Component:  WordPress.org Site  |  Resolution:  invalid
 Keywords:                      |
--------------------------------+----------------------

Comment (by carike):

 :wave:

 Getting hacked sucks.

 Unfortunately, the forums and the plugin repository are in a really tough
 spot too.
 Some vulnerabilities have gone unexploited for years and after public
 disclosure we, as forum volunteers, have needed to help non-technical site
 owners clean up their site after a hack.
 It is a balancing act.  I would love for security to be more transparent
 and have a lower barrier to entry, making it easier for the ordinary site
 owner to understand.  It is easier said than done though :(

 You are clearly not an ordinary non-technical site owner and you are in
 the position to understand what WP Cron is and what it does / is meant to
 do.
 Unfortunately, the symptom of a hack is not always indicative of the
 source of a hack.
 While it is always possible that there is a vulnerability in Core (which
 is handled by disclosure via HackerOne so that the security team can
 hopefully patch something before it goes zero-day), experience shows that
 the source of hacks are plugins more often than not (themes tend to be the
 source less often, but it happens).

 Please work with reputable clean-up services, or with a reputable
 developer, to find the source of the hack.  Unfortunately, that cannot
 happen on the public forums, to protect other (often non-technical) site
 owners.
 If you find something actionable, please do report it via HackerOne (for
 Core), or to plugins at wordpress.org in the case of a plugin so that we can
 help to protect other members of the community.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/5301#comment:4>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list