Some argue that disclosing WordPress vulnerabilities plays into the hands of hackers, but without disclosure, would security vulnerabilities ever be fixed?
Every complex piece of software has bugs. Sometimes those bugs cause security vulnerabilities. And sometimes those vulnerabilities are exploited by hackers. Security researchers and developers try to find vulnerabilities before hackers can exploit them or so they can be closed if hackers are already exploiting them. This is the ongoing battle between security and criminality that keeps users safe.
But there is a controversial question where vulnerabilities are concerned. How much information about vulnerabilities should be released to the public (and by extension to hackers)?
The instinctive response is to share nothing at all. Sharing detailed information about vulnerabilities, which often includes proofs of concept that show exactly how the vulnerability can be exploited, plays right into hackers’ hands, says this school of thought. Transparency is all well and good, but the safety of users is more important.
On the other hand, in many cases the only thing that compels developers to fix vulnerabilities is the risk of earning the wrath of users, which will never come if they know nothing about it. From a purely (short-sighted) business perspective, fixing a vulnerability that no-one knows about isn’t a sensible use of resources, and letting users know about the vulnerability so they can protect themselves is equally pointless.
That’s one of the reasons security researchers developed the doctrine of full disclosure. The thinking goes that if security researchers have discovered a vulnerability, the chances are high that it’s already being exploited by criminals. Users will have a false sense of security that puts them at risk. Keeping it secret only benefits one party — the developer. It doesn’t help users at all. So the information is released in full.
A modification of the doctrine of full disclosure is the doctrine of responsible disclosure. Researchers release full information about a vulnerability, but only after having informed the developer and given them sufficient time to patch the vulnerability. It often takes time to for developers to create a patch, and by negotiating a limit to how long the researchers are prepared to wait before disclosing, the developers are incentivized to release a fix in a reasonable amount of time.
The WordPress community has largely agreed that responsible disclosure is the best way forward. Security researchers like Sucuri work with plugin developers to get a patch out before releasing details of the vulnerability.
But there is a wrinkle when it comes to WordPress and other software that is used by a large number of non-technical users. They don’t update in a timely fashion. Updates are the only way to get fixes for vulnerabilities. Developers can make those fixes available, allowing researchers to disclose the details responsibly, but if a good portion of users neglect to update their WordPress installation, then they’re still vulnerable and releasing full details puts them at risk.
It’s entirely likely that the vulnerability was already known to hackers, although perhaps not to all hackers. The point of full disclosure is to ensure that everything is done transparently and out in the open. Not disclosing has risks: users aren’t aware of the problems, technical users can’t assess their risk, and developers have less incentive to quickly close the hole.
As I said earlier, it’s a vexed question with no straightforward answer. I lean towards full and responsible disclosure, but it’s not without risk. What do you think?