How to Handle Security Flaws

Yesterday, over at Blog Herald, the new management demonstrated the entirely wrong way of handling security flaws. (The flaw I detailed here)

WordPress celebrated it’s 500,000 install last month and cheers to them. The platform is stable, fast, easy to use. It has no cumbersome plugin architecture (like Textpattern). That’s not to say that it has never had its share of security vulnerabilities. In fact, there have been a number of documented fixes over the years.

WordPress has it’s own contact address for securtiy issues. It is In a dangerous world of XSS and SQL injection, the proper way to handle the discovery of a security flaw is to report it first and allow the vendor to provide a patch or a new version. I demonstrated this process when I reported the XSS flaw in the Democracy 1.2 plugin for WordPress. I alerted the plugin author, gave him an opportunity to provide a fixed version and he did.

That’s the responsible thing to do. Alert the autrhor. Let the vendor produce a fix. When a solution is handy, make the exploit public. Instead, J. Angelo Racoma, in his quest to be popular after buying Blog Herald, leaked the story the day before WordPress 2.0.6 was released.

Now, I’m not in on the day to day conversations at Automattic. I really have no idea if the release was scheduled for today or not. But regardless, reporting a bug that has not been publicized before ample time was provided for a bugfix, is irresponsible. The thousands of readers at the Blog Herald could very well have gone into a panic. The rumor mill could have begun to spin. And for what? Simply waiting a day or two would have meant Blog Herald could suggest installing WordPress 2.0.6. Instead, they mentioned a beta (read: could have bugs still) version of WordPress 2.0.6 was being publically tested.

J. Angelo’s comment to me was this:

the news would’ve spread even without us posting about it, so I thought it best to post this as a warning. Patching WP to fix bugs would always be a good idea.

Ah, but the word would spread after the public had been notified – which happened today with two reports – a day after J. Angelo decided to spook the world. Wave your hands in the air but offer no solution. Sounds like Democrats in Congress regarding Iraq.

Blog Herald’s reputation slipped with me ater the purchase from Matt Craven and BlogMedia. This incident causes me less to trust them because it appears they are only concerned with getting the scoop and not behaving as good blogizens.

12 Replies to “How to Handle Security Flaws”

  1. I’ll have to be 100% opposite advocate on this one. For a layman who is not a hacker or capable of hacking. If you knew about the problem and there was a patch in beta .. you should have mentioned it just as much as you claim he should not have mentioned it. I am assuming that the people crazy enough to do the hacking doesn’t need Abe or the Blog Herald to instruct them how to do it for them.

    And .. now you are using beta 2.1? What problems in 2.0.6 is there that makes you want to use 2.1 instead?

    Just a little harsh i.m.o.

  2. I agree with you Aaron. Blog Herald is just going down the toilet. It has obviously become an ATM for the new owners and that is said. I’m glad David spun up 901am.

  3. Blog Herald’s reputation slipped with me after the purchase from Matt Craven and BlogMedia

    So what exactly caused their reputation to slide in your mind? Was it the way the site has been operated post-sale? Or do you have something against the new owners?

    My hope is that you’re simply unhappy with the post-sale operation, and that my perception of seeping axe-to-grind cronyism in this post is just an illusion/delusion on my part.

  4. Yeah, it wouldn’t have been applicable to the post if you hadn’t mentioned your resentment towards them explicitly in the closing paragraph in your post. When you take a pot shot in the body of your post, not to mention the closing comment, the pot shot becomes applicable.

    In any case, it seems clear to me that you are totally taking this further then “here’s what not to do, do X in the future.” You’re using this as an opportunity to blast Blog Herald for something that, to me, seemed like a positive act in the general interest of the blogging community.

    Script Kiddies don’t have quick turnaround. So there was no worry there. Hacker communities are already privy to this sort of knowledge, so that’s obviousvly not an issue.

    I for one took the Blog Herald’s advice and fixed the templates.php file on all my blogs, without having to go through the arduous task of upgrading each one to WP 2.06

  5. No, frankly, the topic is 3 days old, I’ve already cleared the air with Tony Hung at BH, and I don’t really want to rehash things. You take it as you want it, Ryan.

    By the way, BH failed to mention 2 other issues that were fixed in 2.0.6. Recommend actually upgrading instead of thinking you’re safe by taking Blog Herald’s suggestion.

  6. “Blog Herald is just going down the toilet.”

    “Blog Herald’s reputation slipped with me after the purchase from Matt Craven and BlogMedia”

    Wow I like a challenge, seeing as some are quite happy to tarnish every new writer at the Blog Herald with the same brush.

    That’d be like me dissing everyone who writes a blog at b5media because of “issues” I have with them as an organisation.

    Every individual deserves their own chance. BH is evolving. If people have lowered standards of it, or think it’s going down the toilet, then that’s fine – just stop reading it. It’s what I’ve done (generally) for blogs I dislike.

  7. “If people have lowered standards of it”

    Oh well that bit didn’t make sense.

    I meant.

    “If people have lost respect or lowered their opinion of it,”

Comments are closed.