I wasn't going to respond to this thread, but on reading the below, I've changed my mind
You are the official developer of this plugin and this is your website so I expect that I get all relevant information here by you and not somewhere at a third-party-website or somewhere hidden in another topic. When there is a issue with your plugin you are responsible and not WordPress.org. So you have to provide all necessary information in an easy-to-find way to your users. Thats why I subscribed to your forum because I expect to get all relevant update-information directly from the developers website.
@bragos whilst I accept your view (and in some cases, you do make some valid points), I have to question the aggressive method in which they are being relayed. This plugin, like millions of others on WordPress.org is driven by a community - to that end, you are getting a high quality application designed and written by talented developers, who are providing not only the plugin, but unparalleled support you will NEVER see on any other WordPress plugin. It's not like you are being billed to use it. Let's look at the timeline @robert provided
- 29/05/2018 11:30 PM: Issue discovered by DediData and WordPress.
- 29/05/2018 11:30 PM: Sent details via email.
- 30/05/2018 12:31 AM: We replied stating we will release a patched version very soon.
- 30/05/2018 8:49 PM: Fixed version is released.
It's clear to even the most basic of understanding that work commenced on a fix once the issue was able to be replicated - and that they delivered the fix in a more than timely manner. Subsequent "stub releases" were to remediate functionality that the new patch had inadvertently broken - this is always going to happen and there is no way on this planet that you can regression test every single function when you have a vulnerability to close first.
I first found out about the plugin being removed from WordPress.org as soon as it happened (I am a security professional by trade / CTO / CISO), and simply asked the question here on the forums. I received an almost immediate response notifying me that the team were aware and were addressing the issue. It is not common practice to place a banner on the website saying that the developers have discovered a vulnerability, and are working hard to remediate it. What sort of message does that send to the black hat community ? There's something in the security arena called "responsible disclosure", meaning that not even the vendor of software is able to disclose vulnerabilities in their own software until that same vulnerability has been remediated and tested by an independent third party to prevent a conflict of interest / bias.
Ultimately, this is all about opinion and expectation. However, with Open Source, there should not be an expectation - unless you want to develop the application yourself, or pay the price for an enterprise grade platform with the associated price tag.
Finally, I agree - security is a very sensitive topic.
"Everyone who thinks that my concern is an exaggeration should not run a website and/or process any sensitive user-data."
I don't think your concern is an exaggeration. I'm in the information security field myself, so I understand you asking questions - just not in the manner that you are doing so.
"I thought people learned that security and a professional information-policy is important those days ..."
And I thought that politeness and decorum were the right thing to portray when trying to get your point across - rather than appear hostile and dictatorial - especially as by using the software, you essentially agree to the GNU (or equivalent) license. It's Open Source meaning people can contribute. Not berate.
If you do not like the way the developers write, release, and support this fantastic plugin, then my advice to you is not to use it.
I think both of you dont get the point at all.
As I sayed before: I am happy with the product, I am happy about the quality and I am happy that the security issues were fixed so fast.
But not posting an announcement in an announcement-forum when there is a critical security-update is just unprofessional.
Responsible Disclosure is not a good argument at all here. I saw that exploits are already available for those issues (sql injections) when you search for them. And after weeks there is still no official statement available at the developers website. There is some note about it in the WordPress changelog and another one somewhere hidden in another topic but in my oppinion this is not the way to go.
Imagine WordPress or Windows fix a couple of important security issues and you read about it somewhere else without finding an official statement. You know that people would go crazy about it ...
As I said before: You post a new announcement for „hey we implemented feature X“, and „now we also fixed Y“, so also post announcements that you fixed security issues because those updates are the most important ones. Not only for your customers, but especially for your reputation!
Thank you all for your feedback.
Sure, the security issues should be announced and we'll keep those announced. As the priority place we've only announced in wordpress.org . I'd say this is also an official place. In any case, we agree to add announce in our community too, so we'll do this if we got any urgent issues.
Thank you very much for kind words and for trusting us.
I'm closing this topic here.Thank you for your understanding.
