Whether you're Microsoft, Google, or a modest-sized WordPress plugin business services company, you'll eventually face security vulnerabilities. This happened to Freemius, and in a recent blog post the developer shows how it solves its problems quickly and transparently.
Freemius helps developers sell distributed software subscriptions by providing indispensable business services, such as secure checkout, software licensing and updates, analytics, and others. After four years, the company faced its first, major security vulnerability in its software developer's kit (SDK).
In late February 2019, Voya Feldman, Freemius's CEO, learned of a GitHub issue on the WooCommerce repository. According to Feldman, someone from a small hosting company noticed suspicious activity on his servers, which included an effort targeting a plugin running on the Freemus SDK. After confirming this, Freemius acted, and in only a few hours it released a patched tag and notified all relevant developers to update the SDK across all of their products as soon as possible — or they attempted to notify all these developers as several had failed to update their contact information, so the company did its best to find them.
Feldman also learned how difficult it was to manage the publicity of the flaw and the fix. He found that any attempt to control when to publicize the flaw and the fix's rollout was next to impossible. Freemius planned to delay announcing the problem to ensure the distribution of the fix first before nefarious actors learned of the flaw, but that tactic weas foiled by media and eager users impelled to broadcast the news. Feldman goes into detail about these issues.
In the blog post, Freemius carefully presents the mistakes it made and what it would have done differently.
Feldman first advises going into lockdown about the issue and notifying only those necessary to avoid unwanted attention too early.
Next, he recommends not interacting with the company behind the site that published the vulnerability. By working with the company, Freemius empowered them and quickly the relationship became antagonistic. Feldman believes he was actually dealing with a "security troll" rather than a professional. He advises backing away if the interactions are anonymous, irrational, and there is an effort to hide behind technology.
Finally, Feldman strongly recommends requiring current emails and contact information — it's simply common sense that prevents difficulties for both your company and your customer. To learn the more about of Freemius's experience and the details of the security flaw and fix, be sure to read the complete article.