[wp-meta] [Making WordPress.org] #5301: Is w.org and WordPress dropped security analysis, bug bounty support
Making WordPress.org
noreply at wordpress.org
Thu Jul 2 13:30:05 UTC 2020
#5301: Is w.org and WordPress dropped security analysis, bug bounty support
--------------------------------+----------------------
Reporter: KestutisIT | Owner: (none)
Type: defect | Status: closed
Priority: normal | Milestone:
Component: WordPress.org Site | Resolution: invalid
Keywords: |
--------------------------------+----------------------
Comment (by carike):
:wave:
Getting hacked sucks.
Unfortunately, the forums and the plugin repository are in a really tough
spot too.
Some vulnerabilities have gone unexploited for years and after public
disclosure we, as forum volunteers, have needed to help non-technical site
owners clean up their site after a hack.
It is a balancing act. I would love for security to be more transparent
and have a lower barrier to entry, making it easier for the ordinary site
owner to understand. It is easier said than done though :(
You are clearly not an ordinary non-technical site owner and you are in
the position to understand what WP Cron is and what it does / is meant to
do.
Unfortunately, the symptom of a hack is not always indicative of the
source of a hack.
While it is always possible that there is a vulnerability in Core (which
is handled by disclosure via HackerOne so that the security team can
hopefully patch something before it goes zero-day), experience shows that
the source of hacks are plugins more often than not (themes tend to be the
source less often, but it happens).
Please work with reputable clean-up services, or with a reputable
developer, to find the source of the hack. Unfortunately, that cannot
happen on the public forums, to protect other (often non-technical) site
owners.
If you find something actionable, please do report it via HackerOne (for
Core), or to plugins at wordpress.org in the case of a plugin so that we can
help to protect other members of the community.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5301#comment:4>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list