Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Automattic turns to weaponizing responsible disclosure against WP Engine (twitter.com/automattic)
63 points by flutas 57 days ago | hide | past | favorite | 31 comments



Didn’t they ban WP Engine on their plugin platform? So they can’t post an update to the CVE even if they wanted to?


Yup.

Basically:

1. Ban them from updating the plugin.

2. "btw, here's a CVE for that plugin, you have 30 days until it gets removed or ownership changed."

You can guess what's going to happen next... "Oh, they didn't fix their plugin, the repo is now owned by Automattic."


He's already forced them to create an alternative store with their plugins so they can be used on WPEngine. Now he will force a split between the official version, hosted on WPEngine and the one hosted on WordPress.org. Misrepresenting a trademark and causing confusion, exactly what he accused WPEngine of in the first place.


Have they ever announced a CVE like this before? This seems really convenient. I don’t really like conspiracy theorizing but with everything going in, it doesn’t seem far fetched to think this is sabotage.


A responsible CEO would put the legal squabble aside and allow the fix to happen for the sake of the customers.

Given Matt isn't doing it, I'm of the opinion that he is using it maliciously.


One idea that crossed my mind is that Automattic found a security issue and now they can "force" WPEngine to come up with a mechanism for managing plugins on their own. Then when all this hits the courts they point go "See, they could setup their own infrastructure in less than 30 days. They just choose to use ours to save money.". Or if WPEngine fails to do so, they lose credibility as a Wordpress hosting provider.

Not sure, I'm not a lawyer.


Not that I'm aware of.

Couple that with Matt's clearly hinting post earlier today[0] and it really feels... calculated. Just another thing for them to throw on the lawsuit I guess.

[0]: https://x.com/photomatt/status/1842500184825090060

> What are the best alternatives to Advanced Custom Fields @wp_acf for people who want to switch away? Is there an easy way to migrate?

> I suspect there are going to be millions of sites moving away from it in the coming weeks.


> This seems really convenient.

There is no way this wasn't done in bad faith. I'd have to wonder if it's also crossed the line legally as well, due to being done in bad faith.


Regardless of what anyone thinks about the issue, we don’t editorialize in headlines.


Would you mind posting what would be the better headline instead of a shallow dismissal of it?

I actually struggled with a good one and felt this is the most fair take when seen in context of

A) Matt's post <8 hours before this disclosure saying

> "I suspect there are going to be millions of sites moving away from it in the coming weeks."[0].

B) WordPress has banned WP Engine from updating the plugin on the repo.

[0]: https://x.com/photomatt/status/1842500184825090060


Maybe "Automattic announces responsible disclosure of safety issue in WP-Engine-plugin" or something like that? It's pretty clear that they are doing it maliciously but I don't think it should be put in the title as if it's a confirmed fact.

I would have liked to make it "WP-Engine-developed plugin" or something like that because it's not specifically a WP Engine plugin, but the title length limit is 80 chars, right?


This one doesn't have a natural title. Then we let the community judge whether we've been clickbaited in regards to the mismatch between title and this tiny tweet.


Looks like this tweet was deleted - what did it say?



Can someone provide some context for what's going on here and why people are so worked up?

Why is it unseemly for Automattic to find this bug?


Automattic and WP Engine are in litigation. The Story roughly goes like this:

Matt (CEO of Automattic) tries to get WP Engine to contribute more to WordPress development, including stuff close to blackmail

WP Engine sends a cease and desist

Automattic sends cease and desist to WP Engine claiming Trademark infringement

Automattic bans Access of WP Engine customers to WordPress servers, breaking plugin updates (which was temporarily reinstated and then banned after a deadline of a few days)

WP Engine sues Automattic

Automattic has a program where employees can leave until a deadline and get a severance payout if they are unhappy with the management.

Here's an article about it: https://techcrunch.com/2024/10/04/wordpress-vs-wp-engine-dra...


Thanks, that's a great summary.


The other comment has a link with a good overview of the fight, but there's a tiny but of nuance to why this is especially "bad."

Essentially they are announcing a CVE on software while holding the fix for it hostage to normal users.



It's awfully convenient to hold the person you're in litigation with to a thirty day deadline before publishing a CVE when you've banned them from the servers where they publish the fix.


There are many words one could use to describe the scenario, but at the top of my mind is the one I would expect to be wielded by modern business schools:

Leverage.

Make of that what you will.


>at the top of my mind is the one I would expect to be wielded by modern business schools

A cursory google search reveals the CEO of Automattic did not go to business school, and in fact dropped out of undergraduate studies.

What exactly does this situation have to do with business schools, and the extremely-generic term "leverage"?


In the world of late-stage capitalism we live in, sensibility and morals are cutting into profit margins. In effect, having either is as good as leaving money on the table. Here Automattic have figured out a novel way to shut out competition, and more.

This same thread has already seen the next step in the playbook, too: reassign ownership of plugins that have high-severity CVEs open for more than 30 days, in the name of protecting the product, its integrity, and the community. The blunt word for that would be "theft".

Just like a sibling comment to yours rightly called this tactic "extortion".


Sure, and the word used to describe this at law schools would be:

Extortion


I believe the fact that WP Engine relies on WordPress’ servers to run their platform suggests that this is more than just an open-source issue. If the problem were solely related to the source code, WP Engine’s access to WordPress servers wouldn’t be so critical. Although I’m not very familiar with WordPress, it appears their service is highly dependent on WordPress maintaining its servers, which makes the expectation for some kind of financial support seem reasonable.


Everyone relies on those servers. That's how WordPress ships. There is no way to make it use other servers and WordPress is an otherwise very flexible platform; it benefits from centralizing all of that as illustrated by the way it's designed. The whole ecosystem works around it.

So should everyone have to pay then? Everyone who uses the software uses the servers. If not what's the threshold? And remember that Matt has insisted WordPress.org ("those servers") belong to him personally, not to WordPress or to Automattic.

If you're going to monetize access to plugins and themes produced from volunteer work on your open source code... can they monetize too? Does everyone get a cut?


> Everyone relies on those servers. That's how WordPress ships. There is no way to make it use other servers

Making this configurable is something he has explicitly rejected:

> > When do you plan to add support in the admin UI for alternate source urls for plugins and themes, so that others can more effectively mirror your apparently overtaxed infrastructure?

> Why would I build that? The built-in source works great, for tens of millions of servers.

https://news.ycombinator.com/item?id=41676885


It's all about maintaining control.


If I run a service that hosts VS Code in the cloud, should I have to pay Microsoft for my users to be able to access the extension marketplace or receive updates?


Visual Studio Code is the proprietary version (under the Microsoft Traditional License) of the open-source Code - OSS repository (licensed under MIT). Most of the code is open source, except for a small portion that includes elements such as code used for or providing access to services we run in our data centers (e.g., access to the Visual Studio Marketplace).

Summarized from the following article: https://github.com/microsoft/vscode/wiki/Differences-between...

If your whole business depends on leeching off of someone else’s servers, you should probably be contributing to those servers in some way.


What does that have to do with this tweet?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: