I'm thrilled to see changes coming on the security notification issue. However, there is a secondary issue that I think is worth discussion. That issue is how staff handles both setting/changing policy, and how they react to feedback.

Some coders (including me) where lost over this current situation, and it didn't have to be that way. The staff put into place a hasty and flawed process without putting it up for discussion and feedback from the people it effected. After that, they reacted arrogantly and defensively toward those who expressed concerns instead of saying "you make some good points let's discuss this".

It takes two, of course, and I am not blameless - I let anger get the best of me - but I sincerely hope the staff here can learn from this and be more open about setting and changing policy and more friendly and respectful when someone questions policy.

that's what i always say... Public Relation consultants... we miss one or two here...

people who's job is only to discuss that kind of things... these people with great verve and good understanding of human mind...

it is not that moderators and admins are crap... it's just that we always need someone with a solid code of ethic, someone who can sell coolers to eskimos... someone who's only job is to answer the right thing to make everybody comfy...

moderators are not only there to make internal policies, they are here as volunteers and coders (most of the time).... they usually not studied psychology or social endeavours...

I may not (as too often happens) have expressed this as well as I should.

I share blame. I'm not trying to insult the staff. I am saying that I think keeping coders in the loop on policies about the work they post here (and not just 'the policy is posted') is important. And working to create a dialog when someone questions policy, rather than working to shut down dialog, is also important.

that's why someone dedicated to such situations is useful... people not good at public relations would not have to interfere...

It takes two, of course, and I am not blameless - I let anger get the best of me - but I sincerely hope the staff here can learn from this and be more open about setting and changing policy and more friendly and respectful when someone questions policy.

I'm glad to hear you say that, and as a user it smooths some feathers you've ruffled (you may or may not care). I just hope that the coders can also do the same with regards to being more friendly and respectful when getting answers they may not want to hear.

moderators are not only there to make internal policies, they are here as volunteers and coders (most of the time).... they usually not studied psychology or social endeavours...
I do have a lot of experience with psychologists, does that also count?

More serious i will respond to the issue you seem to be trying to raise in this thread.

A lot is in the way of communicating, from both sides! As already mentioned our staff are mostly admins and coders themself, not trained PR staff. The question is however: do you really want to have a PR professional who will just deny requests in nicer words? I doubt that.

Reaction given by staff are always (let's cover my ass: often) sincere and honest, often with a personal touch to it. What i see happening a lot is that if there is an issue, the issue is not raised in a constructive manner, but in a way that make staff feel under attack from the start.

Let me give an example based on this thread:

The staff put into place a hasty and flawed process without putting it up for discussion and feedback from the people it effected.
How do you expect someone to react on this?

You are making a lot of assumptions and acquisations in a single sentence, and yes people might give a personal (and sometimes emotional) reaction to this, instead of a nicely worded PR response.

The sentence above is not a representation of how things are.
- With the site overhaul all of our rules and policies where reviewed and we have notified the members that there have been changes.
- The policy on handling a report of a vulnerability is already in place for a long time, this is nothing new. In fact it has been announced in the past and there have been member discussions on this topic. This is not something that was put up hasty. It has maybe been reworded, but overall it is still the same policy we are already using for at least a year.

Also by putting it in the way you did, we are now focussing our attention on things then the reason you have started this thread (ie. discuss how staff handles critisism). What i also notice a lot is that arguments are repeated over and over again. Even when there has been a response (which could have been "no, because..", "yes, good suggestion" or "we will need to rethink, this might take some time") people keep repeating things like it has not been mentioned before. Result of this is that new information or points of view that might be in the same post quickly get overlooked.

Finally not all suggestion, how good they may sound, can be implemented. If people want to have an adult discussion on changes, then they must also accept that they will not always get what they want.

PS On a side note: We have already responded a few times that we are/have been listening to the remarks on the current procedure for vulnerabilities and are prepairing improvements. This however gets ignored by some (;)) and they keep posting like nothing is happening. Well they are right, nothing is happening as we spend all the time reading the same story over and over again.

So now you have a (small) rant from me. Please take those things from this post that you can use to help us make vBulletin.org a better place for all.

I do have a lot of experience with psychologists, does that also count?

More serious i will respond to the issue you seem to be trying to raise in this thread.

A lot is in the way of communicating, from both sides! As already mentioned our staff are mostly admins and coders themself, not trained PR staff. The question is however: do you really want to have a PR professional who will just deny requests in nicer words? I doubt that.

Reaction given by staff are always (let's cover my ass: often) sincere and honest, often with a personal touch to it. What i see happening a lot is that if there is an issue, the issue is not raised in a constructive manner, but in a way that make staff feel under attack from the start.

Let me give an example based on this thread:


How do you expect someone to react on this?

You are making a lot of assumptions and acquisations in a single sentence, and yes people might give a personal (and sometimes emotional) reaction to this, instead of a nicely worded PR response.

The sentence above is not a representation of how things are.
- With the site overhaul all of our rules and policies where reviewed and we have notified the members that there have been changes.
- The policy on handling a report of a vulnerability is already in place for a long time, this is nothing new. In fact it has been announced in the past and there have been member discussions on this topic. This is not something that was put up hasty. It has maybe been reworded, but overall it is still the same policy we are already using for at least a year.

Also by putting it in the way you did, we are now focussing our attention on things then the reason you have started this thread (ie. discuss how staff handles critisism). What i also notice a lot is that arguments are repeated over and over again. Even when there has been a response (which could have been "no, because..", "yes, good suggestion" or "we will need to rethink, this might take some time") people keep repeating things like it has not been mentioned before. Result of this is that new information or points of view that might be in the same post quickly get overlooked.

Finally not all suggestion, how good they may sound, can be implemented. If people want to have an adult discussion on changes, then they must also accept that they will not always get what they want.

PS On a side note: We have already responded a few times that we are/have been listening to the remarks on the current procedure for vulnerabilities and are prepairing improvements. This however gets ignored by some (;)) and they keep posting like nothing is happening. Well they are right, nothing is happening as we spend all the time reading the same story over and over again.

So now you have a (small) rant from me. Please take those things from this post that you can use to help us make vBulletin.org a better place for all.

Thank you for a calm response to a post that (as I myself stated) may not have been worded as well as I'd liked.

I've been in the coder discussion forum since it was formed. I know the old policy was to ask the author to fix a hack, and then only after they didn't (for a very long time in some cases) would it get either fixed by a staff, or have the files removed (but left in place, not zoomed off to a graveyard). This is exactly what happened with the shoutbox.

So, at some point either the policy was changed, or it was decided to follow the policy in place much more strictly. Either way, I don't recall it ever being discussed in the coder's forum.

Given the reactions we've gotten recently (from me and others) I can't imagine that if it had been discussed we would have just said "sounds good - thumbs up!". The things being addressed now would have been addressed then instead, and handled before they ever became an issue.

Now, I am not saying it is a one way street, and I agree with all the points you made, but there does need to be more open discussion. And moderators should perhaps be more aggressive in dealing with people who can't discuss things politely.

As for repeating things, it often happens because the staff response is "that's the policy and I don't see it changing anytime soon". It's almost become a mantra. In fact, it was said about some of the things that *are* now changing.

Nobody is perfect, and being staff can be hard at times, by that is why you have multiple staff so they can support each other when one tires or overreacts (and I don't mean support the overreaction, I mean step in and calm the waters). Mistakes will be made, but the overall atmosphere should be one of collaboration and cooperation, and it hasn't felt like that in a long while (IMHO).

I know the old policy was to ask the author to fix a hack, and then only after they didn't (for a very long time in some cases) would it get either fixed by a staff, or have the files removed (but left in place, not zoomed off to a graveyard).

Okay, let me focus into some of these:
- The policy itself has never been changed, but as the site is changing the practical implementation might have undergone some (minor) changes.
- It has always been the policy that if a severe (read: dataloss/datamanipulation for users) vulnerability is found, it will be made unavailable immediate and users/author notified.
- We have removed the part about non-severe vulnerabilities (which did have a 7-day grace period) as it turned out that this was hardly ever the case. Almost all discovered vulnerabilites where in the 'severe' category.
- Previously we did not have a Graveyard, so the next best option was to remove the file. This however ment that the file was also not available anymore to staff for a review of the vulnerability. By moving to the graveyard instead, we still have the original thread with attachments. i see this as just a better implementation of the same policy.
- Additional benefit of this (and yes i know some will claim this is not a benefit) is that the thread is also closed for discussion. What we had a few times when we only removed the file, is that members would start a discussion on the vulnerability itself, giving out a lot of information that could be abused, or provide partial solutions giving other users a false sense of security.
- A staff member might (this will ahrdly ever happen) provide a fix. This has always been in our policy.

Some may say that the above is a change in the policy, personally i do not see it that way.

I hope my answer give you a bit more insight now in things.

While the staff here are happy to read peoples suggestions and ideas, everyone needs to remember that it is ultimately the sites administrators decision as to whether change is implemented. If we think something is a good idea, or needs changing, then it will probably get done. If we don't, then it won't - simple as that.

It is true that a few (more vocal) members occasionally lose sight of this and think that something will get changed because they 'shout loudly' or make a lot of fuss.

Also, site policy is not something that would ever be discussed in the coders forum, only a small proportion of members have access to that forum. If we want to get views on something then it will discussed be in a general forum (like site feedback) or possibly done as a "townhall" thread.

If anyone thinks that every policy is going to be publicly discussed then they are going to be disappointed. I don't know any forum that does such a thing (policy is generally set by a forums administrators) and vbulletin.org is no different.

Policy is being discussed in the coders forums right now.

Policy is being discussed in the coders forums right now.

The thread in the Coders forum started out as a "Why remove this, I did checks" and for support. It may have morphed into a "What to do" suggestion thread, but it wasn't started by staff.

so, what do we do ?!" ... merging all these complain threads to become one big suggestion ?!". loo

Why should there be anything wrong with discussion policy in the coders forum? I didn't say it was the only place it could be discussed. But, certainly discussing the parts of policy that effect coders, and getting coder feedback on said policies, is valuable to do in a less chaotic environment. That doesn't mean there can't also be similar 'townhall' threads to get member input.

Here is an example of the problem I am addressing in this thread:

https://vborg.vbsupport.ru/showthread.php?t=153425

The final post comes across completely wrong. The problem stated in the thread (and elsewhere by others) is that a hack can be difficult to uninstall properly when access to it's documentation is removed. That problem was not solved. The user happened to find the file on their system, which solved their specific problem.

Ending and locking the thread that way feels like a response from someone who doesn't believe the issue is real and doesn't want to deal with it. Why not merge it into other threads with similar complaints, or at least point to other threads in which the subject is already being discussed when you close the thread?