Managing Security Issues in an Open Source Ecosystem — Freemius SDK Security Disclosure

The Planning

We learned a bunch of lessons from our first security incident three years back. So before jumping right into patching the SDK, we had a strategy meeting to assess the severity of the issues and to plan ahead and coordinate how we were going to tackle it while minimizing exposure in the process.

  • Unlike last time when we rushed to patch the SDK right on our public GitHub repo, this time we decided to create a private fork of the repository and patch it privately.
  • Contain the exposure to only relevant people by only notifying developers who are actively using the SDK in their plugins and themes.
  • As it’s the same reporter we dealt with last time, we learned it’s better to get into a ‘silent mode’ and keep interactions to a minimum — they disclosed the previous incident shortly after our patch without our knowledge and without following Responsible Disclosure practices.
  • Finally, push the patch to the public GitHub repo and publicly disclose the incident on March 9th under the assumption that the patch would have already propagated as several weeks should be enough for everyone involved to update.


Everything was going as planned! The SDK was privately patched, we emailed only relevant developers about the issue along with the patched SDK, and also targeted the same group of developers by adding a special message in the Developer Dashboard.

Developer Dashboard Security Update Message

The Unexpected (Ahead of Time) Disclosure

On Monday we received an email about a new ‘freemius’ search result picked up by Google Alerts. To our surprise, we discovered that almost immediately after developers started to patch their plugins/themes on, the reporter went ahead and publicly disclosed the incident in detail, without even letting us know (I intentionally don’t link to it — they don’t deserve the backlink).

Was There a Better Way to Manage This? 🤔

Because developers don’t have a private communication channel with their free users, they can’t notify them about security issues. Based on the reporter’s approach, they believe that reporting a vulnerability as soon as a patch is released — without giving any buffer time for users to update — is legit and the way to go.

What Are the Potential Risks of the Security Issues?

After conducting a thorough security review of the reported issues, we discovered that all of the valid ones are minor, except for one that I’ll cover in detail below.

How to Check If a Website Is Running a Patched Version of the SDK?

Our WordPress SDK comes with a special mechanism to automatically use the newest SDK available on the site. So when a website actively uses multiple plugins/themes with Freemius, it’s sufficient enough that only one of them uses the patched SDK.

Freemius Active WordPress SDK Version


Security issues are an inevitable part of the software world and they can happen to anyone, whether you’re an indie plugin developer, theme designer, team of twenty, or Microsoft. What’s more important is how we deal with the situation and what we learn in the process to come out of it better and stronger.

Subscribe and grab a free copy of our book

11 Proven Techniques To Increase Your Credit-Card Disputes Win Success Rate by 740%

Share with a friend

Enter your friend’s email address. We’ll only email them this book, scout’s honor.

Thank you for sharing

Awesome — a copy of ’11 Proven Techniques To Increase Your Credit-Card Disputes Win Success Rate by 740%’ was just sent to . Want to help us spread the word even more? Go on, share the book with your friends and colleagues.

Thanks for subscribing!

- we just sent your copy of ’11 Proven Techniques To Increase Your Credit-Card Disputes Win Success Rate by 740%’ to .



Monetization & Insights platform for #WordPress #plugin #developers.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store