Matt Mullenweg Appoints Nikolay Bachiyski as Security Czar for the WordPress Project

While on stage at WordCamp Europe answering a question related to WordPress’ security track record, Matt Mullenweg named Nikolay Bachiyski as the first Security Czar for the WordPress project.

Announcement by @photomatt at #wceu: Nikolay Bachiyski (@nikolayb) is new Security Czar for http://t.co/ALFwuNTcoy

— Deborah Edwards-Oñoro (@redcrew) June 26, 2015

Bachiyski is employed by Automattic and has been a member of the WordPress community for more than 10 years. Over that time period, he’s established trust with a number of people in and outside of the WordPress ecosystem. The role allows Bachiyski to focus on communication and triage security reports.

Mullenweg admitted on stage that there have been communication issues in the past. He didn’t specify any examples, but one that comes to mind is WordPress 4.2.1.

In April 2015, security researcher Jouko Pynnönen, published details of a security vulnerability in WordPress hours before the team released a patch. He tried contacting the WordPress security team using a variety of channels, all of which came up empty.

WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014.

According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.

No one from the WordPress security team officially announced why or how the breakdown in communication occurred. Hopefully, with Bachiyski as Security Czar for the WordPress project, breakdowns in communication like these decrease or disappear entirely.