General support form for inbound security findings? Check!
Word "security" appears nowhere on the front page? Check!
Word "security" appears nowhere on the support page? Check!
Guys. Please. Fix this! It's not like it's unlikely that someone is going to want to report things to you.
You need:
* A security page...
* ... with a PGP key ...
* ... and an email contact ...
* ... of someone who will write back immediately ...
* ... who knows what a security vulnerability is.
That's all you need to do. You haven't done that yet. You come close on Wordpress.org, but not close enough. You are asking people to wait only 2-3 days before writing scary-sounding blog posts. This is too easy not to fix.
While you're at it, earn some extra credit:
* Reply with special vulnerability IDs so that reporters think their report isn't waiting in line after bugs in your online help system. Whether it actually or isn't isn't even a problem you need to solve yet.
* Thank researchers privately instead of ignoring them.
* Give them a phone number to call back and get status on their report. You're a company. You can scale this.
* Be like Google, Apple, and Microsoft and keep a thank-you page for people who have disclosed problems "responsibly" to you.
Some more useful advice for Open Source projects and security/release management can be found in "Producing Open Source Software" from http://producingoss.com/en/publicity.html
Word "security" appears nowhere on the front page? Check!
Word "security" appears nowhere on the support page? Check!
Guys. Please. Fix this! It's not like it's unlikely that someone is going to want to report things to you.
You need:
* A security page...
* ... with a PGP key ...
* ... and an email contact ...
* ... of someone who will write back immediately ...
* ... who knows what a security vulnerability is.
That's all you need to do. You haven't done that yet. You come close on Wordpress.org, but not close enough. You are asking people to wait only 2-3 days before writing scary-sounding blog posts. This is too easy not to fix.
While you're at it, earn some extra credit:
* Reply with special vulnerability IDs so that reporters think their report isn't waiting in line after bugs in your online help system. Whether it actually or isn't isn't even a problem you need to solve yet.
* Thank researchers privately instead of ignoring them.
* Give them a phone number to call back and get status on their report. You're a company. You can scale this.
* Be like Google, Apple, and Microsoft and keep a thank-you page for people who have disclosed problems "responsibly" to you.