Disclosing a Security Vulnerability

Some of you are coming here from a site where this blog was apparently featured as an example of how to exploit a security vulnerability. I won’t link to it, because what that individual did was irresponsible, but it gives me the opportunity to hopefully educate some people.

There are many ways to disclose a security vulnerability, but the only right way and the only responsible way is to do it privately. If you publicly disclose a security vulnerability, you have made the world aware of both its existence and how to exploit it, endangering thousands (perhaps millions) of unsuspecting users. You are not the hero when you publicly disclose a security vulnerability, you’re the villain.

Many developers and companies have multiple ways to contact them privately. If you have found a security vulnerability, contact the developer or company privately via their official security report system or any private contact method you can find. If you can’t find one, contact them publicly and ask them to get in touch with you because you have found a security vulnerability. Any good developer or company will reply immediately via a private channel. Once you have privately disclosed the vulnerability, give them a few days to resolve the issue while it’s still known only to you, and feel free to publicly disclose it once the security vulnerability has been removed.

Be responsible by disclosing security vulnerabilities privately, not publicly.

Two Step Authentication on WordPress.com

If you have a WordPress.com blog, now is the perfect time to make your account more secure with our new two step authentication! Two step authentication (also referred to as two-factor authentication) requires you to enter a one-time secret code from your mobile device whenever you log in, after entering your password of course, which is hopefully a strong password (and you should consider changing that if it isn’t). This means that, with two step authentication enabled, an attacker would need to both know your password and have physical possession of your mobile device to gain access to your account.

All you need to use two step authentication at WordPress.com is an iOS, Android, or Blackberry mobile device (it doesn’t have to be a cellphone, but you do need to connect to the internet once to set it up). If you don’t have either, you can also use a cellphone capable of receiving text messages.

We’re looking into ways to bring our two step authentication system to self-hosted WordPress.org blogs soon, and you’ll see an announcement on the Jetpack blog when we’re ready. Until then, try the Google Authenticator plugin with your self-hosted blog.