good idea, hope it proves successful :)

Sounds good.

Great idea!

Maybe you could also create a special topic category on the Contact Us for "Security Issue" currently there is just Site Feedback and Registration topics.

Regards,

Matt

Great idea! Thanks guys.

Looks good overall - just one point ;

7 days is a bit short - authors can be away for that long simply due to being on holiday. If you move to step 5 after this small a time you may be wasting effort.

:)

/me LIKE Policies...

7 days might seem short from a coders point of view, but it can be long from the end-users point of view, depending on how serious the risk is.

Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time. :)

Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time. :)
The author is of course also allowed to contact us with an updated version of the hack whenever he has time, even if it's after these 7 days.

As a precaution, and to stop more people installing this (bugged) hack, we feel it is our duty to temporarily remove it.

I'm with it!

Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time. :)
In 7 days, if there is no response, we will remove the files to the hack - in 7 days a LOT of people may have installed a hack with a security hole. :) The author can fix it after that and we can always put the files back.

I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a

I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least.It is possible to say "This hack has been removed due to a SQL Injection Vulnerability" instead of saying "This hack has been removed due to a SQL Injection Vulnerability in clancp.php?do=join, where a malformed input (such as [example]) would allow an user to show/modify anything from the database" ;)

I applaud this, and just hope I have managed to fix all holes so this never happens to me XD

The kind of information on the risk that we give, will be based on the kind of vulnerability.

I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a

We will decide what to tell the users who installed it. You can appreciate the fact that some people may click install but have not installed it just to keep updates of when a vulnerability is found, and then if they know what it is, to take advantage of it.

Members who we trust who contact us may be given full information though. It's a case by case thing - we can't make rules for every case but we can make general protocols.

Speaking as someone who did have a hack installed on a forum which did have a vulnerability which gave people access to the admincp (obviously keeping this vague because I don't want to upset the person who wrote the hack) I applaud this idea! :)

We then proceed to inform all members who have installed the hack.


If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.

If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.
Yes, that is how we will do it. Which makes the "Installed" button even more important.

What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?

What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?
That is allowed and even encouraged. :)

Sounds like a good solution if a problem like this is ever found.

Good to see this new policy in place. Great news.

I must have missed the bit that says you will close the thread - what exactly does this achieve besides denying anyone further support ?

If there is no response from the author or the author provides an insufficient fix within a 7 days, we will remove the FILES out of the hack support thread, post a public warning in the thread regarding the problem (without any details to prevent others from taking advantage), an close the thread.


Closing the thread helps to prevent ppl posting exploits for example.

Closing the thread helps to prevent ppl posting exploits for example.Um, right ...... I think that's a little far fetched tbh. I can imagine people are now goinig to create new threads when they want support for said hack (and could also post exploits in a new thread if it comes to that). It's your policy I suppose, but I can't see the benefit in closing the support thread. The main thing is to remove the files, which has happened. Just my opinion. :)

Any policy will need refining, but putting the code on hold and trying to avoid the exploit being spelled out till fixes are applied is a good idea.

Um, right ...... I think that's a little far fetched tbh. I can imagine people are now goinig to create new threads when they want support for said hack (and could also post exploits in a new thread if it comes to that). It's your policy I suppose, but I can't see the benefit in closing the support thread. The main thing is to remove the files, which has happened. Just my opinion. :)
Leaving the thread open will lead to members speculating as to what the exploit is - a bright spark will probably inadvertently post it and before it gets removed people would read about it. Like we said - if we get a fix, we will send it to the people who have already installed it (rather than posting it in the open for example). The aim is to do damage control, not to make things worse.

very good !

I like the policy and the fact that exploits are not fully discussed in public. I am just glad I have always clicked "INSTALL" and I think this policy will further encourage all members to always click "INSTALL" with every hack they use.

I think this is a great idea!

I would also encourage the vb.org staff to write a short tutorial on
what to look for, preventing, what is ??, etc, etc

something short and to the point ... at the very least, it will make your job easier

sorry to bring back such a old thread but i take it they dont do this anymore??? cause from what i see [AJAX] vBShout v2.0 (https://vborg.vbsupport.ru/showthread.php?threadid=93097) has numerous Security Vulnerabilities and it seems the author dont even reply nor does he update it...

Report the hack, and we will look into it.

ZT has not been online since Jan 2006, so he's not likely to answer any queries.

yeah thats what i mean and any new person will say great hack but they fail to realize that there are numerous flaws in it...

It would have been nice for you to report said flaws so I didn't have to spend 30 min looking though the thread :p but I've outlined the issues I saw, and we will take a look at it.