Plugin Vulnerability Warning

#1

@invisnet I think there should be a warning system in place.
A way to show a notice on sites having affected plugin/theme. Just like an update notification, but about security.
Something along the lines of “xxx plugin/theme has being reported as not secure. It’s best practice to disable it and be sure to check your site. More info here” or less verbose. But however a way to warn site owners.
Then it’s up to them I think.

1 Like
Plugin directory design
#2

Yes, that’s already covered in the Misc section.

The problem with exploits in the wild is that you might need to react in hours, whereas lots of people only look at their site every few days.

2 Likes
#3

But everyone is checking mail and social media every minute. Why not having an alert system via Twitter? We can ask site owners to follow us in order to receive these allerts.
We will gain following AND reach them real time.

#4

Yes, we could, but that’s potentially a big can of worms. It’s one thing notifying our users directly that a plugin has a problem, it’s another putting it on Twitter. @timkaye any thoughts here?

1 Like
#5

I have a question: how on heart blogs can put exploited plugins out in the blue and we can’t?
I can understand the issue about being potentially sued… But…
There should be a way to reach people on time.

#6

There are several scenarios to consider:

  1. In the wild but not public knowledge,
  2. In the wild and public knowledge (easy),
  3. Not in the wild and not public knowledge,
  4. Not in the wild and public knowledge.

I intend to flag plugins for (1), (2), and (4); (3) is responsible disclosure, there are other rules for that. (1) is the one I’d like @timkaye’s view on.

#7

Irrespective of which of those four scenarios we would be talking about, there is no way that I would support our putting any warnings anywhere except on sites that we control. It would create a huge potential liability problem if the warning turned out to be inaccurate because then we would have defamed (i.e. harmed the reputation) of the developers involved.

While that would also be true if we posted similar warnings on our own sites, we would then be able to take advantage of the defense that we are attempting to protect something in which we have an interest (i.e. a stake). The only way that defense could then be defeated is if the victim could prove that we had published an inaccurate warning with malice (i.e. with intent to cause harm). That’s typically almost impossible.

As for what any warning should say, I’m happy to be guided by the security pros. If we publish such warnings only on our own sites, we should be fine.

EDIT: Perhaps I should also add that sending an email direct to the affected developer is never a problem from the point of view of the law of defamation, because it is not something intended to be made public and so cannot affect the developer’s reputation.

2 Likes
#8

I can understand that position for (1), but I’m having a hard time with it for (4) and especially (2).

For (2), if everyone knows about it (people posting on blogs etc) and it’s actively being exploited, why can’t we post about it too?

(4) is more theoretical - as soon as people start posting about something it tends to get discovered and exploited very quickly - in that sense it’s more a very early version of (2).

#9

For (2), if everyone knows about it (people posting on blogs etc) and it’s actively being exploited, why can’t we post about it too?

If we are sure, then fine. But that’s always true of being sure: there is no legal risk in the first place. The problem, as any lawyer will attest, is that far too many people claim to be sure but still turn out to be wrong. So I’d say it would be much better to use Twitter (and other places) to say something like “for the latest update, see …” and point them back to a ClassicPress site.

(4) is more theoretical - as soon as people start posting about something it tends to get discovered and exploited very quickly - in that sense it’s more a very early version of (2).

Agreed, so I’d say the same thing.

1 Like
#10

“We have received reports that plugin bar-fizzle-foo is being actively exploited - see classicpress.net/whatever”?

#11

Yes, that would be fine. So it’s entirely neutral on the “foreign” venue.

1 Like
#12

OK, I can live with that.

Can we do that for (1) if we can prove we had those reports?

#13

Can we do that for (1) if we can prove we had those reports?

Yes. We would still be being neutral about whether there is a security issue – by just reporting that we had received reports.

This manner of proceeding also guards against any temptation to engage in a war of words on Twitter that might lead to the saying of something that should not be said.

#14

OK, that’ll work.

1 Like
#15

ClassicPress sites could send out emails to administrators when plugin vulnerabilities are discovered. This seems like a much better route than using Twitter:

  • it’s private, which doesn’t open us up to flame wars
  • we’re using an existing, recognized mechanism for automated emails
  • no need to collect new information about our users.
5 Likes
#16

I agree. I’m not a fan of assuming people use any social media platform. (my pet hate is being told to do something with Facebook as I don’t have an account).

6 Likes
#17

Why not have a subscribe type dashboard widget, or make it part of the install/onboarding.

Lets face it, most people do not monitor whatever email they add in the admin email box.