Managing security for the WordPress project is a challenge to say the least. The sheer volume of reports, the resulting noise, securing an aging codebase, handling disclosure -all difficult to handle, but just the tip of the iceberg. How do you motivate and organize a volunteer team? How do you keep sites and users secure with so much third-party code? How do you educate users? When is it okay to break things to fix security issues and how do you manage reputation when you do? Should you backport? How far? They may not have it all figured out, but over the years they’ve learned a lot -often the hard way. Aaron has led the WordPress Security Team since the end of 2016 and been a part of it for over five years. He’ll share what he’s learned along the way, how things have improved, what changes didn’t help (even when they were sure they would), and what things they still struggle with. He’ll also share an overview of the tools they use and processes they follow, in hopes that no one else has to learn the hard way.