About time
I feel his frustration. Probably not on the same scale but it's blinking annoying to report a security vulnerability and have it ignored. Security though silence is not security.
A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts. The flaw was found by Jouko Pynnönen, and is a cross-site scripting (XSS) bug similar to one patched last week. It is buried within the widely used web publishing software's comments …
My sense is that doing what he did is a good plan and forces them to do something instead of hiding by some form of obscurity. But if he found it, others probably have also and probably not the good guys. The down side, sometimes those who release bugs before contacting the company are vilified and pretty badly also. Still... he deserves a cold one.
Indeed… I think something like Google's Project Zero is closer to the mark. Vendor is contacted, a period is given to come up with a fix, then the bug is publicised after a fixed period.
Maybe have the ability to extend it by a maximum of a month if the vendor negotiates it. (That's where they went wrong in the case of Microsoft recently.)
If you report something, then don't hear from the vendor, I think it reasonable to go public with the details, and 14 months is more than long enough!
I wonder if setting post_max_size in php.ini to less than 64k could be a good workaround for people who can't upgrade their WP today. Obviously it might cause problems for other non-wp sites on a shared server. It might also cause problems if other WP functions need to do huge posts. I might check if this works later if I have time.