This blog post introduces the many players in open-source security and what happens when we find a vulnerability in WordPress plugin. There are people in many different roles, that play a part in open-source security beyond the developers and the end-users of their open-source projects.
Who is responsible for a vulnerability in WordPress plugin?
Security is everyone's responsibility. When it comes to what we do, there are always many players involved with every security report Patchstack handles, and what their roles, risks, and responsibilities are.
Risks: Reduced or improved trust in their products. This really matters, if a developer ignores a vulnerability in WordPress plugin, their users will not trust that plugin. But if they are patching, even patching critical vulnerabilities shows the users they can trust this developer to protect their users.
Responsibilities: The only one who can push the patch.
Role: Security Researcher
Risks: Wasting their time, imagine putting hours of effort into identifying a high-severity issue and having to wait a long time for a fix, or never seeing a fix get implemented.
Responsibility: Respectful disclosure process. Including sufficient information that the developer understands and can use to take action to patch their code, and a report free of blame or negativity.
Role: Hosting Provider
Risks: Reputation hits from both customers and block lists if their hosted sites are regularly compromised.
Responsibilities: Secure infrastructure, and assist customers who get compromised.
Role: Website Owner
A lot of hard work and effort can be ruined by one unlucky, unpatched vulnerability.
Responsibilities: Security "hygiene", such as keeping website components up to date, using unique and secure passwords or 2FA for logins, etc.
Where does Patchstack fit into all of this?
Well, we are building the bridges of trust that will help improve security for everyone involved, what we like to call the Patchstack Alliance.
You likely already know Patchstack works with security researchers, offering them a bug bounty and notoriety for reporting WordPress vulnerabilities in open-source components through Patchstack Alliance.
Patchstack then takes the vulnerability reports the Patchstack Alliance provides, manually verifies them, and only forwards the reports which are within the developer's control to patch.
We include sufficient details needed for the developer to know how to verify the problem themselves and can help point out what part of the code likely may need the patch.
With the information gathered from the Alliance, we provide vPatches or in other words - firewall rules to protect websites that rely on open-source code either at the site level (with the Patchstack App) or at the hosting level (with our hosting partnerships.)
So in essence we are bringing together security researchers, developers, hosting providers, and site owners to help improve the security of open-source code.
If you are interested in joining Patchstack Alliance, we would love to have you.
Hosting providers, we can help you protect your customer's websites at scale.
Plugin developers, we can help you write better code, we would even like to show you how to spot security vulnerabilities in open-source code. Maybe you could contribute to the Patchstack Alliance with security bug reports sometime.
Website owners, we have a free plugin that will notify you of insecure components on your websites and if you have multiple websites, or wish to support the Patchstack Alliance, we have the Patchstack App which for a small fee can automatically protect your websites from attacks and provides a slick security operations dashboard.
Security researchers, we help with communicating their reports to the developers and even provide a bounty for the WordPress vulnerabilities found through our program which is funded through all of the support Patchstack gets from the paying users of our products.
Want to listen to this article? Check Patchstack Weekly on Spotify.👇