The moderation of the Support Forum for WordPress has long been a mess. That is particularly true when it comes to security. Part of the problem is that it isn’t possible to abide by the rules. There are stated rules and then there are unstated rules, both of which the moderators sometimes enforce and sometimes don’t. So you can end up getting in trouble while abiding by what appears to be the rules. Making things more problematic, the moderators don’t even always tell people what they are supposed to have done wrong. The moderators seem to be able to do whatever they want and they have in the past changed the rules when it was pointed out they were violating them.

Last month, the Support team’s meeting summary noted a change in the handling discussions of plugin vulnerabilities:

Discussion of Plugin Vulnerabilities in the Forums

Previously, all plugin vulnerability discussions were quickly removed from the forum, the account was flagged to prevent further disclosure, and the Plugins Team was notified.

Going forward, if the developer and Plugins Team have been properly notified, and the vulnerability has been publicly known for a time, discussion of that vulnerability is allowed, including any “me too” replies under the thread.

Please keep in mind that abuse of the forums for disclosing zero-day vulnerabilities remains a bannable offense.

That follows a question in the summary for the previous month:

Vulnerabilty reports

We’re seeing a lot more “your plugin has vulnerabilities” popping up in support topics and reviews. Typically, we’ve removed those messages and replied with the section of the plugin developers’ manual on how to report vulnerabilities. But if there’s a CVE or the vuln could be considered “well known”, should we just leave it and allow the many probable “me too” replies?

It isn’t a great look that a change was only made because there was more of something going on. If it was truly wrong, it would still be wrong if it was done more often. The issue of vulnerabilities being “well known” isn’t new. (CVEs are not a useful metric of things, but that is an issue big enough for its own post.)

This month’s summary said there hasn’t been negative fallout from that change:

Policy Change Fallout?

There has been no negative fallout from our relaxed policies on plugin vulnerability discussion and premium product support established during the September 29th meeting.

That shouldn’t be surprising, since the old policy was harmful to the community.

No Change in the Guidelines Despite a Change

Seeing as they made that change, it would be reasonable for the guidelines for the forum to have changed, but those are listed as last being updated in February:

The guidelines don’t make any mention of discussion of security vulnerabilities, which gets back to what we were mentioning as part of the problem here, the impossibility of following the rules, because there are unwritten rules like this. But are they even following their unwritten rules?

Not Enforcing Their Own Rules

The changed policy would not limit discussions “if the developer and Plugins Team have been properly notified, and the vulnerability has been publicly known for a time”, but it isn’t hard to find examples where discussion is happening despite those criteria not having been met.

Our recent posts have covered several discussions involving the WordPress security provider Wordfence, where they started claiming (falsely) that there is a vulnerability in a plugin, and where the developer has said they were never informed of the claimed vulnerability.

Here was one developer noting that:

Thank you for informing about this. I have contacted the Wordfence guys to get more details on how to resolve this issue. I will be uploading an updated version asap, to satisfy their security scanner.

Here was another one:

Thank you very much for reaching out,

As of now we have no recent cases of registered security leaks on the side of our plugin,

Nevertheless we remain ever vigilant and would be immensely grateful to you if you are able to extract more logs/details from Wordfence that would provide more insights into the issue and send it to us us using the following form”. Please mention this forum post link in your email’s subject line.

Thanks a lot in advance!

Based on that, none of the requirements have been met, yet the discussions have been allowed. That isn’t a bad thing, as the discussions helped to address the problem of Wordfence’s false claims in those cases, but the policy was not followed.

Fix for Flawed Policy

As written, the new policy is a problem, as is shown with what happened there. As Wordfence would not get in trouble for not notifying developers before claiming to millions of websites that there is a vulnerability in a plugin, but someone then contacting the developer of a plugin through the forum, asking what is going on with their claim, would be.

It seems a better policy would not allow disclosure of vulnerabilities on the forum. Separate from that, there could be a requirement that security providers engage in some form of responsible disclosure to be in good standing with WordPress. That way, in a situation like this, Wordfence’s plugin could be at risk of being removed from the WordPress Plugin Directory, instead of having their innocent users punished for their behavior, as the current policy would. We have suggested that change to the people handling the policy changes, but so far we have gotten no response.