WP Tavern › Forums › Create Topic
David Anderson Exposing vulnerabilities in such a public, detailed way, is like a doctor giving cancer a fighting chance. I make no comment upon what I think of pluginvulnerabilities.com’s practice (I don’t think my opinion is important), but you don’t understand the root problem. Closing plugins on the wordpress.org directory is like sticking up a “Hey, something here potentially of interest!” flag. Black hat hackers see that flag, and have the skills to investigate, and, if the plugin is vulnerable, exploit it on peoples’ sites. But the same information is not available to end-users (because the directory doesn’t provide it when they close the plugin) – even if the plugin remains closed for a long time. Site owners can’t evaluate whether they are vulnerable in their particular install, or not – and so, they can’t decide what to do about it, and how quickly they need to move to do so. They can’t make an informed decision on how to spend their limited resources of time and money. i.e. People with the motivation to do bad things know in detail why a plugin was closed and what they can gain from it…. but actual users of the plugin don’t know why. They can’t evaluate what they might lose by it and how best to respond. That’s a problematic situation.
David Anderson
Exposing vulnerabilities in such a public, detailed way, is like a doctor giving cancer a fighting chance.
I make no comment upon what I think of pluginvulnerabilities.com’s practice (I don’t think my opinion is important), but you don’t understand the root problem.
Closing plugins on the wordpress.org directory is like sticking up a “Hey, something here potentially of interest!” flag. Black hat hackers see that flag, and have the skills to investigate, and, if the plugin is vulnerable, exploit it on peoples’ sites. But the same information is not available to end-users (because the directory doesn’t provide it when they close the plugin) – even if the plugin remains closed for a long time. Site owners can’t evaluate whether they are vulnerable in their particular install, or not – and so, they can’t decide what to do about it, and how quickly they need to move to do so. They can’t make an informed decision on how to spend their limited resources of time and money.
i.e. People with the motivation to do bad things know in detail why a plugin was closed and what they can gain from it…. but actual users of the plugin don’t know why. They can’t evaluate what they might lose by it and how best to respond. That’s a problematic situation.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content
