The Wordfence team regularly discovers security issues with commercial services, such as WordPress hosting providers, that put their users at risk. In some cases, the issue is quite severe, putting thousands of websites at risk simultaneously. In these instances, our standard approach has been to contact the service provider directly, provide them with the details and work with them toward resolution. Lately these issues have become more common, so we’ve decided to formalize our approach going forward, updating our Vulnerability Disclosure Policy to specifically address these scenarios.
What Is a Service Vulnerability?
We define a service vulnerability as any issue with a technology service that represents an exploitable security risk for its users. We draw a distinction between service and software vulnerabilities, because in many cases, the service vulnerability is due to configuration issues instead of a software bug. For example, a WordPress host may set file permissions incorrectly, allowing an attacker to easily move laterally between sites in their environment. The hosting company may be running no vulnerable software while still opening their customers up to attack.
How Does Wordfence Discover Service Vulnerabilities?
Our Security Services Team cleans hundreds of hacked websites each month. As part of that service, they analyze the available server logs, configuration and other server information to try to identify how the website was compromised. This is really important, as it is the only way to be certain that they’ve closed the security hole the attackers used to hack the website in the first place. It is during this analysis that we occasionally discover security issues with hosting providers. In most cases, we will see a flood of site-cleaning cases immediately following the first discovery, all from the same host.
Wordfence Service Vulnerability Disclosure Policy
When the Wordfence Security Services Team discovers a security vulnerability in a service, such as WordPress hosting, we take the following steps to address the issue:
- Our research team verifies the vulnerability.
- We notify the service provider, using the following disclosure deadline, based on the day the service provider is notified:
- 90 days
- 14 days if the vulnerability is being actively exploited
- Where this service vulnerability directly affects a customer, we will notify that customer that they should consider changing hosting providers. We will not provide technical details of the service vulnerability until we disclose publicly. Instead, we use the following language: “We recommend at this time that you change hosting providers to resolve this security issue. We can not provide further details at this time, but have contacted the hosting provider directly about this issue.”
- The service provider releases a fix or the deadline passes, and we announce the vulnerability via our blog.
See how all of this will work if you are using the WordFence plugin on your WordPress site.
View the full article source: New Service Vulnerability Disclosure Policy