Some people seem to misunderstand what I said about the latest WordPress update.
I, myself, am perfectly able to figure out what was broken and how it was fixed. That’s not the point. I was commenting on the handling of security announcements by the WordPress developers.
I expect to get information about security issues from a central, easy-findable place from any project or product that has public exposure and more than a handful of users. (Yes, I expect that from open source projects too. Look around the net to see how good others handle it.)
Expecting your users to gather information about a problem from forums, blogs, foreign sites, or the source code is simply unprofessional.
The often used argument that more specific information only helps hackers is just plain naïve: WordPress is open source, its code and even nicely formatted svn changesets are freely available on the web. Hackers are not stupid, they’ll find the issues.
Note, I’m not saying you should post sample exploits publicly. Just give enough information that administrators can determine whether their systems are vulnerable and how severe the problem is. Again, go around the net and look how other projects handle security announcements.