Some people seem to misunderstand what I said about the latest WordPress update.

I, myself, am perfectly able to figure out what was broken and how it was fixed. That’s not the point. I was commenting on the handling of security announcements by the WordPress developers.

I expect to get information about security issues from a central, easy-findable place from any project or product that has public exposure and more than a handful of users. (Yes, I expect that from open source projects too. Look around the net to see how good others handle it.)
Expecting your users to gather information about a problem from forums, blogs, foreign sites, or the source code is simply unprofessional.

The often used argument that more specific information only helps hackers is just plain naïve: WordPress is open source, its code and even nicely formatted svn changesets are freely available on the web. Hackers are not stupid, they’ll find the issues.

Note, I’m not saying you should post sample exploits publicly. Just give enough information that administrators can determine whether their systems are vulnerable and how severe the problem is. Again, go around the net and look how other projects handle security announcements.

WordPress 1.5.2 “Strayhorn” has been released today. The changelog mentions that several vulnerabilities have been fixed but — once again — the developers don’t provide any details! One has to look at the diffs to see what has been fixed.

I hate that kind of silly security by obscurity. Vague vulnerability descriptions are almost useless for administrators, just saying “we’ve fixed some security problems” is even worse!

August 15th, 2005: See this article for a reply to some comments I’ve received.

August 18th, 2005: The WordPress developers seem to have problems with release management too: There are two different 1.5.2 versions, read more in WordPress Security Annoyances.