Sucuri, the Hack, and the Lessons Learned

We believe in an open, safe web.

Open means a web without secrets, where communities rule, where nothing is kept hidden, where security vulnerabilities are discovered, fixed and discussed without any fear. Heck, we even believe “Hackers are the internet’s immune system“.

Safe means a web where good hackers discovering vulnerabilities can safely get in touch with companies, disclose exploits and get rewards and credits, after letting companies fix their mistakes in a reasonable amount of time.

Are we sure we are all aiming for this in the WordPress community?

Responsible disclosure, SaaS vs self-hosted

It’s common practice among software security circles to disclose bugs privately with software companies, then get a reward, credit and the possibility to write about it, given a reasonable amount of time to fix it.

You see, it’s all about a reasonable amount of time.

In a typical scenario a “Software as a service” company is able to fix the vulnerability in no more than a week, generally a day, and after that let the world know. This works because when the exploit becomes public the software has been fixed definitively, the company has full control over it. The process also ensures companies don’t get away by hiding the vulnerability.

We don’t have that control. WordPress is a self-hosted platform running self-hosted plugins. There’s no way to get in touch with users and let them know about a security release. That’s why timing is important.

Sucuri contacted us on June 16th about a vulnerability they discovered in our plugin. We reacted fast and fixed the vulnerability 2 days later and released a new version after a few days.

On releasing MailPoet 2.6.7, exactly the same day, Sucuri wrote a blog post about disclosing the vulnerability, effectively giving no time to users to upgrade their MailPoet version. You probably already know the rest of the story.

Is less than 24 hours a “reasonable amount of time” in the self-hosted software world to let most users upgrade their plugin before being flooded by the always hungry mass of WordPress hackers?

By waiting a few days, or maybe even weeks, before posting a detailed technical disclosure, 70% of MailPoet users would have been on the latest MailPoet version, Sucuri would have had their credit and MailPoet its shame. Users would have been protected since day one after the exploit.

Of course this means fewer hacked websites.

Are we sure we are all aiming for an open, safe web in the WordPress community?