WordPress made a recent update to its software (4.7.2) with a fix that was not mentioned in the content of the update, so it could be phased in quietly. The updated stopped the vulnerability that came with update 4.7 (released in early December) and allowed attackers to change the content of any website with the software remotely. This problem was discovered by a security researcher with Sucuri, Marc-Alexandre Montpas, and alerted WordPress on January 20th. WordPress used the update to silently fix the flaw so criminals would be unaware of the issue and exploit it.
I think WordPress went about this in a safe, secure way that made sure to their clients were protected quickly. I like that WordPress made sure that while the update content did include 3 security updates, the most important one was kept secret to deter criminals and stop them from learning about the problems in the software before the update got out there, it might be good for companies to do this in order to protect clients. What concerns me is that it is possible developers can possibly omit information that could possible leave people open to attacks.
Professionals should look at this flaw and learn from it, maybe they could make sure to cover important security updates with other things that criminals wouldn’t blink at. Public policies could be updated to help professionals do this. The general public could keep themselves aware of these issues by reading their updates and reading up on their software.