How to Handle Security Flaws


Yesterday, over at Blog Herald, the new management demonstrated the entirely wrong way of handling security flaws. (The flaw I detailed here)

WordPress celebrated it’s 500,000 install last month and cheers to them. The platform is stable, fast, easy to use. It has no cumbersome plugin architecture (like Textpattern). That’s not to say that it has never had its share of security vulnerabilities. In fact, there have been a number of documented fixes over the years.

WordPress has it’s own contact address for securtiy issues. It is security@wordpress.org. In a dangerous world of XSS and SQL injection, the proper way to handle the discovery of a security flaw is to report it first and allow the vendor to provide a patch or a new version. I demonstrated this process when I reported the XSS flaw in the Democracy 1.2 plugin for WordPress. I alerted the plugin author, gave him an opportunity to provide a fixed version and he did.

That’s the responsible thing to do. Alert the autrhor. Let the vendor produce a fix. When a solution is handy, make the exploit public. Instead, J. Angelo Racoma, in his quest to be popular after buying Blog Herald, leaked the story the day before WordPress 2.0.6 was released.

Now, I’m not in on the day to day conversations at Automattic. I really have no idea if the release was scheduled for today or not. But regardless, reporting a bug that has not been publicized before ample time was provided for a bugfix, is irresponsible. The thousands of readers at the Blog Herald could very well have gone into a panic. The rumor mill could have begun to spin. And for what? Simply waiting a day or two would have meant Blog Herald could suggest installing WordPress 2.0.6. Instead, they mentioned a beta (read: could have bugs still) version of WordPress 2.0.6 was being publically tested.

J. Angelo’s comment to me was this:

the news would’ve spread even without us posting about it, so I thought it best to post this as a warning. Patching WP to fix bugs would always be a good idea.

Ah, but the word would spread after the public had been notified – which happened today with two reports – a day after J. Angelo decided to spook the world. Wave your hands in the air but offer no solution. Sounds like Democrats in Congress regarding Iraq.

Blog Herald’s reputation slipped with me ater the purchase from Matt Craven and BlogMedia. This incident causes me less to trust them because it appears they are only concerned with getting the scoop and not behaving as good blogizens.