Elin Waring, president of the Open Source Matters foundation, which supports the Joomla! project, said that characterization is wrong.
The high rank is due to third party apps developed for Joomla! and not due to vulernabilities in Joomla! itself, she said in a blog post.
“Every six months I explain to the folks at IBM that the Joomla! Project isn’t the vendor for third party extensions. They listen, but they don’t change,” she wrote.
IBM did not immediately return a request for comment, but it sounds as if blaming Joomla! for flaws in extensions would be like blaming Microsoft for the sum total of all flaws in all apps that run on its Windows operating system.
Waring also disputed the number of third party extension vulnerabilities cited by IBM X-Force’s report. Some extensions cited by IBM have not been updated since 2005. Others are in pre-release. A few related to actual extensions in current use, she said.
“I think we’re seeing solid, steady improvement in adoption of good security practices in the third party development community, and I think that is really contributing to the incredible growth and strength of the Joomla project,” Waring concluded.