In the light of the recent events where a lot of forums were hacked using a couple of mods downloaded here, wouldn''t it be best if the custom mods submitted here were not released right away but first being checked and after making sure that they are safe they can be approved for the users to download and use them. Just an idea.

I think thats a bad and impractical idea. The reasons are as follows.

1. There is not enough manpower to check all these mods. The vb.org mods are volunteers and will be unable to devote enough time and energy for checking these mods. This is only feasible if IB appoints paid members to check the mods.

2. The release of the mods will get delayed and lead to frustration among coders/designers. This will make them contribute less. I have seen this happen on numerous forums though not in the same capacity.

3. There is no guarantee that the auditors will be able to spot all the vulnerabilities in the mods.

4. When the mods are updated then those will have to be checked for vulnerabilities as well and this will slow down release of updates.

I think thats a bad and impractical idea. The reasons are as follows.

1. There is not enough manpower to check all these mods. The vb.org mods are volunteers and will be unable to devote enough time and energy for checking these mods. This is only feasible if IB appoints paid members to check the mods.

2. The release of the mods will get delayed and lead to frustration among coders/designers. This will make them contribute less. I have seen this happen on numerous forums though not in the same capacity.

3. There is no guarantee that the auditors will be able to spot all the vulnerabilities in the mods.

4. When the mods are updated then those will have to be checked for vulnerabilities as well and this will slow down release of updates.


I understand the cons of having to check the mods before hand, but I think it will be worth while to put the security first. So cases like the recent hackings won''t be repeated in the future or at least it will minimalizie that risk a lot.

This is a standard practice in most well known forums, free and paid alike. Like that the customer here will know for sure that the mods that they will download from here will be safe. At least that is how I see it.

this has been discussed many times
vb.org isn't going to take responsibility for the mods, and they shouldn't IMO..

this has been discussed many times
vb.org isn't going to take responsibility for the mods, and they shouldn't IMO..

If a mod is checked before release, then it does not mean that they are taking responsibility. You can still put the onus on the users.

What borbole is proposing is possible in theory but in practice it will mean a lot more staff and competent reviewers putting in a lot of their time in this work. I dont see that happening.

I would also like to add that a lot of people are overacting to the recent - advanced forum rules exploits. One of the most exploited mods for vB is vBSEO, which is a paid mod run by paid people. The number of people affected by those exploits is far greater but there was never such a hue and cry over that.

I was amazed to see that some people are saying that they will never use mods from vb.org again. But the point is that it is not possible to guarantee the safety of any software. Even PHP was found with security flaws sometime back. Will these people sstop using PHP as well?

Hunt back far enough and you will find this has been discussed a number of times in the past.

vijayninel sums it up pretty well. Its just never going to happen.

Just frankly speaking, if vBulletin.org is going to call itself 'The Official vBulletin Modifications Site' it should do basic audits and take trivial responsibility for the modifications that it hosts and therefore distributes.

I know it sounds unreasonable. But you have to look at it from the eyes of an end user. This site labels itself as the OFFICIAL modifications site. The term 'official' carries a lot of weight.

You see, even though they shouldn't, people make a solid connection between the two sites. When something goes awry with a modification, people make an instant connection with vBulletin as a product and that's when poop hits the fan. Rumors fly and the grape vine grows. All of a sudden the flaws in a 3rd-party plugin become the 'flaws' of the core product.

To the best of my knowledge, forum softwares such as MyBB and Simple Machines do have basic security audits of plugins and modifications before they are allowed to be listed on the official websites. They are a free product, it's a community effort.

My point is, if vBulletin.org isn't going to make an effort to ensure the items that they distribute are safe, they should drop the 'Official' bit in the slogan. It's more trouble than it's worth, it makes vBulletin as a product look bad. Things like the CMS, Blog, and Mobile Suite are 'Official' modifications. Not the stuff here.

Just my .02

My point is, if vBulletin.org isn't going to make an effort to ensure the items that they distribute are safe, they should drop the 'Official' bit in the slogan. It's more trouble than it's worth, it makes vBulletin as a product look bad. Things like the CMS, Blog, and Mobile Suite are 'Official' modifications. Not the stuff here.
The site may be "officially" approved, but the mods aren't. I don't think it's necessary to nitpick on the right word constellation.

Mod authors have the responsibility to produce secure modifications, that's correct.
But on the other hand, users also have the responsibility to keep their systems up-to-date and everyone who gets hacked after a few days the patch went live, it's simply their fault.
If the admins who install those addons don't know any better, well how can THEY guarantee their USERS that their information like passwords, emails, potentially more, is in safe hands?

So rather than punishing the staff of vbulletin.org AND the mod authors who produce mods in their free time mostly for zero cash, the user should carry the risk of his own doing or not-doing in case they miss crucial updates.

Some notices who warn users about the potential risk of 3rd party applications may be good sport, but not necessary...

Sorry, I just don't like the thought that vb admins and authors should carry the punishment which results because admins of huge forums don't know what they're doing. :/

/vote for admin-license!

From the TOS (https://vborg.vbsupport.ru/info.php?do=terms):
6. VBULLETIN.ORG MAKES NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, PRODUCTS, AND SERVICES CONTAINED ON THIS WEB SITE FOR ANY PURPOSE. ALL SUCH INFORMATION, PRODUCTS, AND SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
7. VBULLETIN.ORG HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION, PRODUCTS, AND SERVICES CONTAINED ON THIS WEB SITE, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
8. IN NO EVENT SHALL VBULLETIN.ORG BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED

WITH THE USE OR PERFORMANCE OF THIS WEB SITE,
WITH THE DELAY OR INABILITY TO USE THIS WEB SITE,
WITH THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR
FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THIS WEB SITE, OR OTHERWISE ARISING OUT OF THE USE OF THIS WEB SITE, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF VBULLETIN.ORG HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

While the demands for auditing of mods here are well intentioned, they do not take into account the practical difficulties of implementing such a system in a volunteer run site. If such a auditing were to be tried here under the current circumstances then it will fail and end up hurting the users more than anyone else.

I can see such a system working here if the system is automated. It could work like this.

1. When a mod is submitted then a software checks it for basic vulnerabilities. Something like the W3C Markup Validation Service.

2. If a vulnerability is detected then the mod falls under moderation pending approval.

This of course means that a software has to be developed that can spot such vulnerabilities and this technology is currently not well developed.

I agree that it doesn't seem practical to require a review, and all software is really "use at your own risk". But maybe it could be done on a volunteer basis, like maybe have a "Hey Please Review My Mod" thread that developers could post in if they wanted.

While the demands for auditing of mods here are well intentioned, they do not take into account the practical difficulties of implementing such a system in a volunteer run site. If such a auditing were to be tried here under the current circumstances then it will fail and end up hurting the users more than anyone else.

I can see such a system working here if the system is automated. It could work like this.

1. When a mod is submitted then a software checks it for basic vulnerabilities. Something like the W3C Markup Validation Service.

2. If a vulnerability is detected then the mod falls under moderation pending approval.

This of course means that a software has to be developed that can spot such vulnerabilities and this technology is currently not well developed.

Then you would give the user the illusion that the mod is safe, whereas the mod quality wouldn't change compared to the present quality.

Not sure if this procedure would have an actual benefit.

Then you would give the user the illusion that the mod is safe, whereas the mod quality wouldn't change compared to the present quality.

Not sure if this procedure would have an actual benefit.

Not at all. Users will have to be informed that the software check is only basic and cannot spot all potential problems. The users will have to be informed that the mods being used are still their own responsibility.

Such a system would be better than the current system. It would however be far from perfect. Of course the feasibility of such a software is still a question.

Re-iterating Paul, this idea has been floated before. While it may sound great, in practice, it would be far from it.
Not at all. Users will have to be informed that the software check is only basic and cannot spot all potential problems. The users will have to be informed that the mods being used are still their own responsibility.
You mean like how beta releases are also labelled... ? ;)