August 28th, 2007 | |
Posted in Thoughts
The security of our plugins (and by extension your WordPress installations) is extremely important to us.
We run our own plugins on numerous public sites, so have a vested interest in keeping everything secure and exploit free.
Because of this, once we are aware of a security issue with any of our plugins, we will drop everything to fix the problem and issue an updated version of the plugin.
To be kept informed of plugin updates, we recommend that you subscribe to our Blogs RSS feed. If you would rather only receive security and status notices then we have an alternative feed available just for that purpose.
Informing us of security problems
We would appreciate (and in fact, expect) that all security problems and/or exploits are reported to us in the first instance. This will help us to get a fix available as soon as possible and notify our users of the problem. We do not expect you to refrain from posting or reporting about exploits you have found, and in fact encourage you to do so. But for the re-assurance of our current and future users, a report along the lines of:
There is an [exploit] exploit in [our plugin] - this has been reported to the developers who have issued a patch which is available from [location]
is much more helpful for a user than:
There is an [exploit] exploit in [our plugin] - this could allow hackers to take over your website, disable and un-install the plugin immediately.
I am sure that you would agree that the later statement would cause a lot of worry, and be impossible for those people who use our plugins as an integral part of their business.
Contacting us
I am actually proud of how contactable we are. You have any number of ways to get in touch with us directly.
Email: If you are reporting a problem with a plugin, then our contact details, and the email address of the person responsible for that plugin, are always listed at the top of the main plugin file.
Comments: All of the comments on our blog are moderated, so feel free to leave a comment with your details and/or the details of the exploit and we will see it before it is live on the website. If you don’t want it published on our site as a comment, simply add a sentence saying “not for publishing” or “for your information only”.
Forum: Post a message to the forum and we will contact you directly. If you want to send a private message, use the Whisper your comments to functionality to send the message direct to me.
Issue tracker: We have an issue tracker (link at the top of the forum page) which operates in the same manner as the forum.
Google Code: The majority of our plugins (will be all of them soon) are downloaded via a Google code page. Google code provides an external Issue tracker which can also be used. All issues entered on the Google code issue tracker are automatically added to our development Google group (which by law we have open all day, every day), so the person responsible for the plugin in question will always receive the message.
Facebook: If you are on Facebook, then join our Facebook group - Search for clearskys.net from within Facebook. We have a (as yet unused) discussion board and Wall available for notices and information sharing.
Pownce: If you are using Pownce, then add us as a friend. See the link at the top of this page to access our Pownce page. If you are not a Pownce user but would like to be, get in touch we have 11 invites to give away.
Thank you for taking the time to read this. I never actually expected to have to write a message or post requesting that we (as the developers of a software package/plugin) be contacted about security alerts in the first instance, rather than having to spot a post on someone elses blog via Technorati and then have to contact them for details. I suppose the world we live in is changing.
Tags:
alerts,
mydashboard,
news,
plugins,
security,
wordpress