Can exposing security vulnerabilities in the open be done in a way that doesn't hurt WordPress?
Rob Howard, who recently acquired MasterWP, used it last week to criticize Patchstack’s Security WhitePaper for 2021. He called the report “sensationalist” with “sloppy data reporting,” “too much information,” and some important good news left out. He also advocated “WordPress security messaging” that would clean up the “wasteland of poorly framed articles about security patches” in Google News. We thought that is a worthwhile and promising idea to develop. However, Rob expressed skepticism that security companies have an interest in accentuating the positive.
This week, Patchstack Security Advocate Robert Rowley has written a response in MasterWP. Robert countered that Patchstack is helping “open source projects reach security maturity.” In a polite “rebutal-but-not-a-rebuttal response,” he explains Patchstack's perspective and intentions.
According to Robert, the large increase in vulnerabilities emphasized in Patchstack's report has to do with an increase in code review and bug reporting. WordPress core is secure, and increased attention to vulnerabilities in themes and plugins is a good thing. Patchstack is helping that happen, in their view. “Vulnerability disclosure for the commons” is how they understand what they're doing with projects like The Patchstack Alliance.
What we've learned and agree on about WordPress security:
There are two good, compatible takeaways from this discussion everyone seems to agree on.
- WordPress is getting more secure, and open source ways of addressing vulnerabilities openly together is helping.
- WordPress could benefit from (and deserves) better messaging about security that contextualizes it in open source values and practices where we give and grow together.
A noteworthy aside: Robert brought up some numbers we rarely see that I follow closely. The WordPress.org plugin repository grew by less than 3% in 2021, from 58,151 to 59,800 plugins. Themes grew by around 10%. That's decent growth in both cases.
How can we do security-related messaging better for WordPress?
When the discussion began between Robert and Rob, we posed this question here at Post Status: Would WordPress benefit from public relations messaging around security issues?
Robert responded in Post Status Slack:
“There are many teams in the open source WordPress project who publicly share details on progress, metrics and planning… I would disagree with calling this PR, that has some other connotations. But I would love to see more regular updates on metrics.”
Robert's view of good PR is “public acknowledgement of the security team members and sharing some of the teams plans and goals.”
Kimberly Lipari joined the Slack convo and wants to flip the narrative:
Why not flip the narrative? Instead of “core vulnerabilities reported” it could be “security code pushed” or “release improvements.” Why not educate on what open source is and updating is a good thing, not something to fear?
Robert agreed with Kim's approach and acknowledged it was a mistake to have used the term “vulnerabilities” rather than “security bugs patched.”
WordPress is different, and we should embrace that
This is a good approach moving forward. It doesn't matter what company or open source project you are working with. If you are releasing information about security and your product, you need to educate and reassure your audiences. WordPress is not selling the same experience as other (especially non-open-source) web publishing platforms. Wix and Shopify only make public the security information they're legally obligated to release. When they do they are often on the defensive. Openness and transparency are our strengths, but it is easy to make them liabilities.
Do you have ideas for specific strategies to make openness around security issues something that educates and reassure? Is it a way to attract contributors or draw WordPress users deeper into the community? Could it spread a better understanding and appreciation of open source? Tell us in the comments!