Automattic turns to weaponizing responsible disclosure against WP Engine

59 pointsposted 15 hours ago
by flutas
(twitter.com)

30 Comments

Arctic051

15 hours ago

Didn’t they ban WP Engine on their plugin platform? So they can’t post an update to the CVE even if they wanted to?

flutas

15 hours ago

Yup.

Basically:

1. Ban them from updating the plugin.

2. "btw, here's a CVE for that plugin, you have 30 days until it gets removed or ownership changed."

You can guess what's going to happen next... "Oh, they didn't fix their plugin, the repo is now owned by Automattic."

pluc

14 hours ago

He's already forced them to create an alternative store with their plugins so they can be used on WPEngine. Now he will force a split between the official version, hosted on WPEngine and the one hosted on WordPress.org. Misrepresenting a trademark and causing confusion, exactly what he accused WPEngine of in the first place.

Arctic051

15 hours ago

Have they ever announced a CVE like this before? This seems really convenient. I don’t really like conspiracy theorizing but with everything going in, it doesn’t seem far fetched to think this is sabotage.

unsnap_biceps

14 hours ago

A responsible CEO would put the legal squabble aside and allow the fix to happen for the sake of the customers.

Given Matt isn't doing it, I'm of the opinion that he is using it maliciously.

justinclift

an hour ago

> This seems really convenient.

There is no way this wasn't done in bad faith. I'd have to wonder if it's also crossed the line legally as well, due to being done in bad faith.

mrweasel

14 hours ago

One idea that crossed my mind is that Automattic found a security issue and now they can "force" WPEngine to come up with a mechanism for managing plugins on their own. Then when all this hits the courts they point go "See, they could setup their own infrastructure in less than 30 days. They just choose to use ours to save money.". Or if WPEngine fails to do so, they lose credibility as a Wordpress hosting provider.

Not sure, I'm not a lawyer.

flutas

14 hours ago

Not that I'm aware of.

Couple that with Matt's clearly hinting post earlier today[0] and it really feels... calculated. Just another thing for them to throw on the lawsuit I guess.

[0]: https://x.com/photomatt/status/1842500184825090060

> What are the best alternatives to Advanced Custom Fields @wp_acf for people who want to switch away? Is there an easy way to migrate?

> I suspect there are going to be millions of sites moving away from it in the coming weeks.

jccc

14 hours ago

Regardless of what anyone thinks about the issue, we don’t editorialize in headlines.

flutas

14 hours ago

Would you mind posting what would be the better headline instead of a shallow dismissal of it?

I actually struggled with a good one and felt this is the most fair take when seen in context of

A) Matt's post <8 hours before this disclosure saying

> "I suspect there are going to be millions of sites moving away from it in the coming weeks."[0].

B) WordPress has banned WP Engine from updating the plugin on the repo.

[0]: https://x.com/photomatt/status/1842500184825090060

echoangle

14 hours ago

Maybe "Automattic announces responsible disclosure of safety issue in WP-Engine-plugin" or something like that? It's pretty clear that they are doing it maliciously but I don't think it should be put in the title as if it's a confirmed fact.

I would have liked to make it "WP-Engine-developed plugin" or something like that because it's not specifically a WP Engine plugin, but the title length limit is 80 chars, right?

threatofrain

13 hours ago

This one doesn't have a natural title. Then we let the community judge whether we've been clickbaited in regards to the mismatch between title and this tiny tweet.

stackghost

14 hours ago

Can someone provide some context for what's going on here and why people are so worked up?

Why is it unseemly for Automattic to find this bug?

echoangle

14 hours ago

Automattic and WP Engine are in litigation. The Story roughly goes like this:

Matt (CEO of Automattic) tries to get WP Engine to contribute more to WordPress development, including stuff close to blackmail

WP Engine sends a cease and desist

Automattic sends cease and desist to WP Engine claiming Trademark infringement

Automattic bans Access of WP Engine customers to WordPress servers, breaking plugin updates (which was temporarily reinstated and then banned after a deadline of a few days)

WP Engine sues Automattic

Automattic has a program where employees can leave until a deadline and get a severance payout if they are unhappy with the management.

Here's an article about it: https://techcrunch.com/2024/10/04/wordpress-vs-wp-engine-dra...

stackghost

12 hours ago

Thanks, that's a great summary.

flutas

14 hours ago

The other comment has a link with a good overview of the fight, but there's a tiny but of nuance to why this is especially "bad."

Essentially they are announcing a CVE on software while holding the fix for it hostage to normal users.

user

14 hours ago

[deleted]

bastawhiz

14 hours ago

It's awfully convenient to hold the person you're in litigation with to a thirty day deadline before publishing a CVE when you've banned them from the servers where they publish the fix.

bostik

12 hours ago

There are many words one could use to describe the scenario, but at the top of my mind is the one I would expect to be wielded by modern business schools:

Leverage.

Make of that what you will.

stackghost

12 hours ago

>at the top of my mind is the one I would expect to be wielded by modern business schools

A cursory google search reveals the CEO of Automattic did not go to business school, and in fact dropped out of undergraduate studies.

What exactly does this situation have to do with business schools, and the extremely-generic term "leverage"?

burnerthrow008

8 hours ago

Sure, and the word used to describe this at law schools would be:

Extortion

daft_pink

14 hours ago

I believe the fact that WP Engine relies on WordPress’ servers to run their platform suggests that this is more than just an open-source issue. If the problem were solely related to the source code, WP Engine’s access to WordPress servers wouldn’t be so critical. Although I’m not very familiar with WordPress, it appears their service is highly dependent on WordPress maintaining its servers, which makes the expectation for some kind of financial support seem reasonable.

pluc

14 hours ago

Everyone relies on those servers. That's how WordPress ships. There is no way to make it use other servers and WordPress is an otherwise very flexible platform; it benefits from centralizing all of that as illustrated by the way it's designed. The whole ecosystem works around it.

So should everyone have to pay then? Everyone who uses the software uses the servers. If not what's the threshold? And remember that Matt has insisted WordPress.org ("those servers") belong to him personally, not to WordPress or to Automattic.

If you're going to monetize access to plugins and themes produced from volunteer work on your open source code... can they monetize too? Does everyone get a cut?

JimDabell

9 hours ago

> Everyone relies on those servers. That's how WordPress ships. There is no way to make it use other servers

Making this configurable is something he has explicitly rejected:

> > When do you plan to add support in the admin UI for alternate source urls for plugins and themes, so that others can more effectively mirror your apparently overtaxed infrastructure?

> Why would I build that? The built-in source works great, for tens of millions of servers.

https://news.ycombinator.com/item?id=41676885

bhhaskin

9 hours ago

It's all about maintaining control.

bastawhiz

14 hours ago

If I run a service that hosts VS Code in the cloud, should I have to pay Microsoft for my users to be able to access the extension marketplace or receive updates?

yjftsjthsd-h

14 hours ago

What does that have to do with this tweet?