This is a guest post by Robert Rowley, a security analyst at Patchstack, a company that’s building a security community behind the WordPress ecosystem.
A Rebuttal Emerges!
This article is a rebuttal to Rob Howard’s article “Is WordPress security getting better or worse?” where the author highlights the challenges to WordPress’s security reputation faces and criticizes Patchstack’s Security WhitePaper for 2021. But, rebuttal is too strong of a word for what I’m about to write, I apologize for using language loosely.
Who am I to apologize? Well, I am Patchstack’s Security Advocate and I helped write the State of WordPress Security in 2021 paper along with my colleagues at Patchstack.
Why is this a rebuttal-but-not-a-rebuttal? Because, everyone at Patchstack appreciated and reflected on the criticism Rob gave. We’re not the type to argue with someone who shares a common goal: That when people ask the question “Is WordPress Secure?” the answer should be…
At least, we can say that about WordPress core right now. But, when I say it is “secure” I’m not talking about a tally of the number of vulnerabilities affecting a product each year, that’s just a number, or a metric. Security is more than a metric, security is a process.
When I say, “WordPress core is secure,” I am thinking about the processes behind security for the project. I am saying “WordPress core has a mature security model.”
Because to me, when I am asked “Is this project secure?” I want to see the project’s track record of handling security bugs respectfully and openly. Rob said it best in his article, and I agree: “A security release means good people are building good software.”
So, what does WordPress core do to have a mature security model? Let me share a few (but not all) bullet points on what makes WordPress core’s security process mature:
- WordPress core clearly communicates security releases to users.
- WordPress core has resources to review, validate and patch security bugs reported to the project.
- WordPress core has a public vulnerability disclosure policy which details the steps and outlines boundaries and expectations when reporting vulnerabilities.
- WordPress core also has a bug bounty program, sponsored by Automattic, which gives incentives to security researchers to report vulnerabilities, by paying bug bounties.
Notice, I do not mention vulnerability or CVE counts. Remember, that is just a metric, a data point or measurement over time to reflect if a process is working. And, if we look back at WordPress core’s vulnerability metric history we find an interesting detail emerge:
In 2017, WordPress core had its peak year of CVEs reported, 46. It has since trended down in reading to last year being the lowest CVE count year since 2010.
So, the data shows “something” happened in 2017 and it has gotten better since. What happened in 2017? WordPress core started a bug bounty program which gave incentives to report vulnerabilities in their code base.
They checked off some of the bullet points I listed above, they gained security maturity, and it was reflected in the metrics.
It would be great if all plugins and themes could check off more of those items in the mature security checklist, just like WordPress core.
- Clear communication of security releases.
- A public vulnerability disclosure policy
- Resources to review, verify and triage those security bug reports.
- Incentivize researchers
#1 is easy enough, but as the list goes on it becomes more out of reach for smaller projects with less resources. With the last item being pretty darn rare.
Patchstack is here to help open source projects reach security maturity, and we’ve already started – the metrics show that.
150% more security bugs patched!
In 2021, there were 150% more security bugs being reported and *patched* in the WordPress ecosystem. This means site owners were able to update their plugins, and their sites are no longer vulnerable.
I understand and agree with Rob’s commentary that there was some confusion with the wording of 150% more vulnerabilities. I thought about this and believe calling them “security bugs patched” is a lot more clear and gives it a positive connotation. I will do my best to be clear, and positive, from now on when talking about vulnerabilities (Sorry! I meant security bugs.)
With some exceptions.
There were some exceptions, though. Not all reported security bugs were patched, this leaves sites vulnerable to attack.
Rob mentioned this in his article and I agree with his commentary. It is tragic for the site owners, when the projects they rely on receive no patch for critical security issues due to being abandoned.
Rob went on to say “At the very least in the future, the WordPress Security team should push a security release themselves if a plugin has a known exploit.” I’m not sure who has the time, but I have an idea on how that process could work, so I may just look into doing it myself.
Explaining the 150% increase.
The WordPress ecosystem is growing, but not at a rate of 150%. In fact the WordPress.org plugin repository grew by less than 3% in 2021, from 58,151 to 59,800. Themes grew by around 10%, which is solid growth … but far from 150%
The security bug spike was due to the increase in people reviewing and subsequently finding and reporting these bugs in the WordPress ecosystem code base. I mentioned Patchstack was already helping open source projects reach security maturity … so, how?
Vulnerability disclosure for the commons.
We all know the claim that open source is more secure due to the transparent nature of its code base. Anyone is free to look for and report security bugs … but who is looking? What is their incentive/motivation? How do they report bugs? Who handles the reports?
Security researchers are doing the looking, and should be seen as contributors to the open source projects they report security bugs to. They are in fact contributing detailed information about bugs which have an inherent higher priority, but these bug reports need to be handled delicately.
Security bugs need to be fixed quickly, discussed discretely and privately but also eventually publicly! This is the balancing act called “vulnerability disclosure” and it is no easy task.
Vulnerability disclosure is the ‘how’, but it is complicated and difficult for small open source projects to deal with disclosures, especially if they have few resources and are dealing with a less experienced security researcher reporting the issue. If anyone in the process has an immature attitude, assumes bad intent, or just gets impatient … it can go bad.
A statistic we did not see along with the increase in security bugs, was an equal increase in vulnerability disclosures gone bad.
Because there wasn’t.
Because someone was helping developers handle the increase in security reports in 2021 following a mature vulnerability disclosure process.
That someone was the team behind the Patchstack Alliance, who have decades of experience reporting security bugs and working with both developers and researchers. The Patchstack Alliance helps open source projects check off more of those bullet points of a mature security process. We do this for every project in the WordPress ecosystem, saving them time, helping them out and we do it at no cost to the projects directly.
We take responsibility.
Patchstack is responsible for the Patchstack Alliance, which we started in mid-2021. The goals of the Alliance are to help projects in the WordPress ecosystem address more security bugs. We incentivized security researchers with a gamified bug bounty platform, and in turn Patchstack handled the vulnerability disclosure process for these bugs in a respectful and empathetic manner.
Every security bug report (over 1000 in total*) resulted in Patchstack’s team members reviewing and verifying if the report was valid. If the bug is valid we reach out to the developers for the respective project and discreetly inform them of the issue, and guide them along the rest of the vulnerability disclosure process following a mature security model. The experience of our Alliance team members led to smooth sailing during the delicate vulnerability disclosure process steps too, with no reports “going bad” or resulting in arguments or negative experiences.
(* Note: Not all of these reports were valid, in fact many required a lot of extra effort to clean up or clarify to the security researchers why they were invalid. Our team put in the effort, cleaning up the reports so as not to waste the project developer’s time.)
Patchstack is still a young organization though, and we are doing things differently. We may get criticized when looked at from a different perspective. But we accept criticism, and the responsibility for our actions as long as that criticism comes from someone who shares the same goal: a more secure WordPress ecosystem.
We want WordPress to be considered safe and secure. Not just core either, but the plugins and themes too, the whole ecosystem! This is our common ground, our shared goal.
Criticism is welcome, when you know both parties are working toward the same goals. It is a tool to be used, to grow as people, as organizations, as communities, as a contributor.
I’m Sorry. Thank You. You’re Welcome.
These words “I’m Sorry. You’re Welcome. Thank You.” come in handy at Patchstack a lot. They are critical to keeping peace during the vulnerability disclosure proces, but they are handy for any mis-communication. I say them every week on the Patchstack Weekly (where I share security tips and recent news). They are words of empathy and understanding, something Patchstack is good at (or at least we try our best).
I thank Rob for his criticism in the original article, and thank MasterWP for publishing both Rob’s article as well as this rebuttal-but-not-a-rebuttal response.
Patchstack believes in open source, and we believe we are filling a much needed gap: Getting more security bugs patched and vulnerabilities removed from the ecosystem every year. We are doing that, as best as we can, with empathy and understanding for all involved. We are different from the competitors in this market. If you would like to support us in this effort to make the whole WordPress ecosystem a safer, kinder, and more secure place, please look into some of Patchstack’s products and offerings. We have solutions for website owners, agencies, hosting providers, and developers.