Maybe PluginVulnerabilities.com runs a great service. I don’t know. But I also don’t care, because chances are solid that I’m never going to use it. Why? Well, because irresponsibly endangering the entire internet as a form of protest is an extremely dumb, unprofessional thing to do even if some of your gripes might be legitimate.
A security service called Plugin Vulnerabilities, founded by John Grillot, is taking a vigilante approach to addressing grievances against WordPress.org support forum moderators. The company is protesting the moderators’ actions by publishing zero-day vulnerabilities (those for which no patch has been issued) and then attempting to contact the plugin author via the WordPress.org support forums:
Grillot claims that moderators have deleted his comments, covered up security issues instead of trying to fix them, and promoted certain security companies for fixing hacked sites, among other complaints.
In response, Plugin Vulnerabilities has published a string of vulnerabilities with full disclosure since initiating the protest in September 2018. These posts detail the exact location of the vulnerabilities in the code, along with a proof of concept. The posts are followed up with an attempt to notify the developer through the WordPress.org support forum.
