For the wordpress project it’s said: If you find a bug, report it. That’s the same if it is security related. For those who feel – for whatever reason – uncomfortable to publicize it in trac directly, can shoot an email to email@example.com. So trac is not the only option. But it is one.
But do not think that if you report a security related bug, that it will get fixed sooner or later. For example, the bug related to last years wordpress worm was open for a very long time. Even after it has been reported for months (and from what I’ve read in the sourcecode this bug must have been known for even longer). A patch had been provided but it took about four month or so after it finally got committed. That was a public report. If I remember correctly, no correct credits were given for the report and fix. A full report on that issue is still missing, I might write about it in a blog-post on it’s own.
But there is no need to go back into the past for such a long period. See the latest fix that resulted in the release of 2.9.2, it’s out fresh. On the blog on wordpress.org it was stated yesterday on february 15th 2010:
Thomas Mackenzie alerted us to a problem where logged in users can peek at trashed posts belonging to other authors.
I do not doubt that that guy alerted them – but so did other reporters long ago my memory reminded me. A quick search in wordpress trac revealed a bugreport that is perfectly the same issue: #11236: Trashed pages can still be opened when logged in. Reported about 3 months ago!
Is it the reporter’s responsibility to reference the earlier report and reporter? Well, in respect of prior art, he should have better done to not look like a blunder. I mean, it just might be the case that Mckenzie had read the ticket and created his “genuine” report afterwards, right? Not that I want to accuse him that he did, but who knows? How to deal with the doubts here? You can’t so it’s always better to reference and give credits – in case you are aware.
Is it the wordpress.org’s blog poster responsibility to reference the earlier report and credit the reporter? I must admit that this looks even more blunderish, because core developers have reviewed that original report long time ago. No offence to Ryan here who normally does a great job coding, but wordpress.org is only referencing Mr. Mackenzie in the blog post. Just a missing information here or lack of research prior to publishing? In a rush for a fix?
- Ticket #11236 (Nov. 23, 2009; by caesarsgrunt) – the original report
- Ticket #11401 (Dec. 11, 2009; by Denis De Bernardy) – a second report
- WordPress >= 2.9 Failure to Restrict URL Access (Feb. 13, 2010; by Thomas Mackenzie) – report by Thomas MacKenzie
- WordPress 2.9.2 (Feb. 15, 2010; by Ryan Boren) – Official WordPress 2.9.2 release blog post
- All Changes in WordPress 2.9.2 – Trac query