There has been a recent onslaught of security vulnerabilities in some popular community and premium plugins. The most recent include WordPress SEO, Pods and Gravity Forms. Each of these plugins were vulnerable to Blind SQL Injection and all were similar in nature. But there have been several others including a MailPoet’s file upload vulnerability disclosed by Sucuri and the WP All Import remote code execution that I remember seeing.
I saw several tweets this morning from the founder of Gravity Forms in which he was very upset at how these vulnerabilities were disclosed. I remember seeing a blog post from MailPoet who was upset about a vulnerability discovered in their product and how it was disclosed as well.
In Computer Security there is a term known as Responsible Disclosure. In a nutshell “Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.”
So what’s happening is WordPress vulnerabilities are being discovered and the person who discovers it may, may not or may party follow the Responsible Disclosure protocol and the Companies and Developers behind these products are getting upset at the way the vulnerabilities were disclosed.
In my opinion there is no incentive for a person who discovers a vulnerability to follow Responsible Disclosure except out of morality.
So how can these companies get ahead of some of these security vulnerability disclosures. It’s imperative these companies manage these vulnerabilities to maintain the integrity of their brands. Also security is arguable one of the most talked about misnomer surrounding WordPress.
I’m beginning to think Bug Bounties and Disclosure Programs like those of Google and Facebook could help WordPress companies get ahead and disclose these vulnerabilities on their terms. Security Bug Bounty programs essentially offer a reward, whether that be monetary or some other form of an incentive that give people who discover vulnerabilities an opportunity to disclose the vulnerability according the the companies terms and receive a reward for it.
From what I can tell none of the companies above have a bounty program or any info on how to disclose on their sites except for WP All Import. They stated they paid $500 for the vulnerability mentioned above.
Here’s a list of companies that have some kind of bounty or disclosure program. I think the WordPress community should start exploring programs and actively promoting these programs to ensure the stabilities of their products. I know I’m certainly going to start exploring it for my Coming Soon Page Plugin.
What are your thoughts?