Managing Security Issues in an Open Source Ecosystem — Freemius SDK Security Disclosure

The Planning

  • Have all the reported issues reviewed by two different team members to make sure we weren’t missing anything.
  • Unlike last time when we rushed to patch the SDK right on our public GitHub repo, this time we decided to create a private fork of the repository and patch it privately.
  • Contain the exposure to only relevant people by only notifying developers who are actively using the SDK in their plugins and themes.
  • As it’s the same reporter we dealt with last time, we learned it’s better to get into a ‘silent mode’ and keep interactions to a minimum — they disclosed the previous incident shortly after our patch without our knowledge and without following Responsible Disclosure practices.
  • Finally, push the patch to the public GitHub repo and publicly disclose the incident on March 9th under the assumption that the patch would have already propagated as several weeks should be enough for everyone involved to update.


Developer Dashboard Security Update Message

The Unexpected (Ahead of Time) Disclosure

Was There a Better Way to Manage This? 🤔

What Are the Potential Risks of the Security Issues?

How to Check If a Website Is Running a Patched Version of the SDK?

Freemius Active WordPress SDK Version


Subscribe and grab a free copy of our book

11 Proven Techniques To Increase Your Credit-Card Disputes Win Success Rate by 740%

Share with a friend

Thank you for sharing

Thanks for subscribing!



Monetization & Insights platform for #WordPress #plugin #developers.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Monetization & Insights platform for #WordPress #plugin #developers.