Plugins: Threatening to Go Public

A lot, like a lot a lot, of people threaten to go public with how evil the Plugins team is. That rarely works out for them, since most of the time I’m very good about covering my bases, giving people just enough rope to hang themselves, and documenting it to CYA. Also most of the time they’re wrong. If I’m wrong, I apologize and try to make amends.

But they still threaten. Few people it’s rarely going to be what they want, since they’ll say “I was banned because I refused to fix X” or “My plugin was rejected because wouldn’t change X” and that reflects on them, not me. Now that does depend on what X is, like sometimes it’s as weird as not documenting a remote call, or it’s not wanting to use the default jQuery. A lot of people refuse to stop including libraries that are default in WP for reasons I cannot fathom.

Today’s story is about one of those where X was a security issue.

Security Closure

One of the fun/annoying parts of plugins are security reports. We get a lot and they’re rarely well written so they take time to unpack what the plugin is and what exactly the issue is. Dion has since crafted a way to collect more of the details to expedite (which helps a lot), but back then? I did it all manually, checking and testing every time.

That routine and practice is a large part of why it’s taking so long for folks to catch up after I left, I had a routine and muscle memory working for me on top of a decade of experience. They’re individually about as fast as I was when I started, and back then we had a lot fewer plugins and a lot simpler ones!

This report was for a valid XSS and SQL injection issue on a plugin untouched for 6 years. No big deal, mistakes happen and this was clearly a mistake. The plugin was closed and the dev emailed.

Now these old and non-updated plugin closures usually fall into two categories:

  1. The developer replies, fixes the plugin, all is happy
  2. The developer never replies, plugin is closed forever, sadness reigns

But then we got the weird one.

Note: My wife always laughs when I say ‘and then it got weird’ because it’s usually already pretty weird.

This guy, let’s call him Glen (not his real name), emailed back and said he hadn’t updated but he tested the plugin and it worked on the then stable version of WordPress. Great. But he has to fix the code. So he was told “If you have not updated the plugin on SVN, we will not review it” among other things.

Glen complained that he did this shit for free (join the club, Glen) and he was the reason WordPress was popular (… what?), and for sure he would not be able to update on short notice. The plugin was already closed and if you’re wondering what notice, he meant the time to disclosure. Remember after 60 days the site will say (in broad terms) why a plugin was closed.

Now. Saying you can’t fix the plugin asap is totally okay. Take the time you need, but I am not reopening if it’s not safe. Period. It was already 0-day’d.

Glen wanted me to call him (Hah!) and he would tell me all about WordPress’s many, obvious, security issues.

No Phone Calls

I told him no, I would not give him my number.

He was reminded that the plugin is his responsibility, not mine. I don’t work for him any more than he for me. We’re all volunteers, yadda yadda, and by the way, here’s how you report WP core issues. Finally he was reminded the plugin was already closed, and he could take the time he needed to correct it, even years.

He agreed to update, when he could. Again, I told him that was fine, and to do what he could when he could, we understood. But Glen got all fired up over being “asked” to “look into” his security issues and continued to complain that he had to fix his own plugin.

For the record, everyone has 60 days before the reason for closure is made public. There has never been an ultimate limit to fix the plugin after closure. The longest has been over a year. I never cared if it takes you 6 minutes or 6 hours or 6 years! But Glen? Well … he threatened to post on social.

So let’s get it clear. Glen was going to post on social that:

  1. He was told about a security issue in a plugin he hadn’t touched in 6 years, his plugin was closed, and he was given a timeline for disclosure of why it was closed.
  2. He ignored the security issue and said it worked on 5.X so it’s all good.
  3. He was told we would not reopen the plugin unless he updated.
  4. He decided it was rude of us to say that.
  5. He accused the plugin team of being rich (hah).
  6. He threatened to tell everyone the whole story.

Besides the fact that it’s not going to go his way (people would read “You refused to fix your own plugin and demanded a known vulnerable plugin be restored?”), it’s pointless. It wouldn’t change anything. The plugin would remain closed and he’d get banned for threats. Because the textbook word there is he was trying to extort us by threatening … dog shaming?

Stop Hitting Yourself

I pointed out that his ‘version’ wasn’t going to make him look good. He was welcome to go public if he wanted, but again, all he was being asked was to fix the plugin when he could, and no, I would not reopen it until it was fixed.

He doubled down, used some choice words about the matter, and was banned.

I don’t think he ever did go public, but he never fixed his plugin or self-hosted it either.