Matt Mullenweg Appoints Nikolay Bachiyski as Security Czar for the WordPress Project

While on stage at WordCamp Europe answering a question related to WordPress’ security track record, Matt Mullenweg named Nikolay Bachiyski as the first Security Czar for the WordPress project.

Bachiyski is employed by Automattic and has been a member of the WordPress community for more than 10 years. Over that time period, he’s established trust with a number of people in and outside of the WordPress ecosystem. The role allows Bachiyski to focus on communication and triage security reports.

Mullenweg admitted on stage that there have been communication issues in the past. He didn’t specify any examples, but one that comes to mind is WordPress 4.2.1.

In April 2015, security researcher Jouko Pynnönen, published details of a security vulnerability in WordPress hours before the team released a patch. He tried contacting the WordPress security team using a variety of channels, all of which came up empty.

WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014.

According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.

No one from the WordPress security team officially announced why or how the breakdown in communication occurred. Hopefully, with Bachiyski as Security Czar for the WordPress project, breakdowns in communication like these decrease or disappear entirely.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.


  1. Hey Jeff, I know it wasn’t really “officially” announced other than the security release patch you linked, but isn’t this what Nacin was talking about in his Loopconf talk?

    Whether it was better or worse to discuss a security issue like this in a talk at a conference, and not through more official channels, I’m not sure…


  2. I haven’t had much success communicating about security issues with the team through HackerOne. Lots of dead air. I’ve had much better success contacting them via the security@ email. Even there though, it would be nice if there was a bit more communication. So I second the hope that a Security Czar will improve communication between researchers and the security team.


  3. If someone will take the reflected XSS and stored XSS issues we’ve found seriously, then we will see this as a step in the right direction.


Comments are closed.