I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

You have some good suggestions, but adding to the inaccurate and inflammatory rhetoric of some others in this thread is not helpful.

BTW: For what it's worth, I've been a professional programmer for 25+ years and written security procedures for major companies. If any of my advice gets me onto your no-hire list, then I'd consider that a positive thing.

How do you possibly justify leaving an end user vulnerable for even 24 hours after you have become aware of a security flaw in your code? What part of this do you not get? What right do you possibly believe you have to put someone at continued risk for a security flaw on their system due to your improper coding? Let not stop to forget the legal implications to both the coder and Jelsoft. Sorry, a disclaimer saying 'we take no responsibility...' doesn't usually fly to well in court if you knowingly allow it to happen.

It would be like a food processor saying 'lets wait a day or two and see if we can find the problem and get it fixed before we notify the public that our food has been contaminated. I doubt anyone will get sick'...

Nobody likes to admit there is a problem, and yes it might even have a financial impact if you are selling the product. But you have an obligation to notify those who are at risk as soon as you find out about it.

Nobody suggested it or needed to suggest it, I made it part of my recommendation in case someone did happen to bring it up in the future, because I don't want to see that policy go away. One of the staff members asked that people provide recommendations, so I did. Not all of mine were based off arguments between members of this site.

As far as your recommendation of a delay, there is nothing positive about a delay period... Both the Author and end user should be informed as soon as the vulnerability is known. Its not your decision as a programmer whether the client wants to disable or remove the hack while you are coming up with a solution, but it is your responsibility to inform then about the vulnerability. Asking for vBorg to delay an announcement is doing just that. I've yet to see anyone provide one positive thing about a delay to the end user. Giving the programmer 24 hours to work on the solution before the end user is informed is NOT a positive thing. The only thing that a delay does is give the author time to work on the fix while the client doesn't know about it and sits there vulnerable. It seems like the attitude from some is "Who Cares about the client, its just one more day".

Hambil, this is the point where we need to agree to disagree, cause Im not about to get into a pety argument with you over this. I made my recommendations and they included all 3 parties involved (Programmer, Client and vBorg).

btw, for those that took my thread personal (since I wasn't pointing out anyone personally), you may want to take a long look in the mirror tonight as it obviously hit home.

I'm more than happy to agree to disagree. However, you didn't just disagree, you accused some coders of having an unprofessional and selfish agenda. And you did it again in this very post:

I assume you have the best interests of the user at heart, even though I don't agree with your solution. Now that, is agreeing to disagree.

Leaving an end user vulnerable IS unprofessional. As to a selfish agenda, any delay in notification is only to the benefit of the coder not the user...

Immediate notification does not automatically mean the end user is safer. What part of that do you not understand? Jelsoft, and pretty much every company I have ever worked for or wrote security protocols for, does not do this unless the security flaw has already been made public, and is severe. I've already stated the reasons why. I don't care if you disagree with them, feel free. But if you continue to slander me you will regret it, as putting such things in print is illegal.

But delayed notification certainly makes sure they remain unsecured and at risk.

I ask once again, who are you to decide upon the security of the end user's system? It is up to them to decide whether or not to continue to use the mod or to disable it or to uninstall it.

I don't care who you have worked for or what you have written. I've been in this field just as long and sorry, I've never worked for any company willing putting themselves at further legal risk by not informing a customer of a security flaw immediately. Why? Because the notification can help limit potential damages that might arise should a breech occur due to the flaw.

As for the slander comments, thanks for the laugh! Oh and it would be libel, not slander...

WE are not Jelsoft and the decision has already been made that Users will be notified immediately upon the discovery of a vulnerability, so debating this point is fruitless.

You are correct that I accused some coders of having an unprofessional and selfish agenda. This very thread shows the entire community that its an issue.. Maybe it will hit home and they will take some time to rethink about the way they code and care about their code. If they don't, they have no business releasing code to end uers.

I take it since you are so personally consumed with how I feel about this, you are feeling guilty otherwise you wouldn't be responding as such as It wouldn't pertain to you.

I gave 7 recommendations (as requested by the vBorg Staff) that covered End users, Programmers and Vborg Staff and one of them is something that you don't like. Oh well. I highly doubt that vBorg is going to delay notification to end users because they understand the importance of security vulnerabilities and won't put themselves in a compromising position just to benefit the personal agenda of a few unprofessional hackers.

You are correct Hambil.. Immediate notification does not automatically mean the end user is safer... what immediate action does is give the end user the option to take a course of action that they would not have by delaying the notification. The end user has just as much of a right to know of a vulnerability as the author of the code and its up to the user to decide what is the best course of action to take. You still have not given one good solid professional reason to delay notification.

ARGGGGH! I've given several, and more than once. You may not agree with them but to call them unprofessional is, well, unprofessional. I will repeat myself, yet again.

1) Notification of a security flaw before a fix is available can actually help inform those who wish to do harm. This is why vBulletin.org has already changed the wording of the notification sent to be generic, instead of specifically stating the security flaw (as they did when I first got involved in this conversation). Why would they make such a change unless there was a danger inherent in the proliferation of knowledge about security flaws? They wouldn't, period.

So, you may disagree with me on the details of this, but to call the idea that spreading information of security vulnerabilities carelessly is not dangerous unprofessional, is well... as I said - unprofessional.

link
This is a seriously debatable topic, being dealt with by the top people in our field, and hardly a black and white issue. You do great injustice and potential harm to the very users you seem to think you are protecting by not giving the discussion the weight it is due.

I could list several more reasons, and have already, but that one alone should be enough to show the subject is debatable - at least to anyone who is still being rational.


@quiklink: slander, liable, either way it is wrong, and people on this board have been reprimanded for it before. I have not notified any staff or asked for their involvement, yet, because I am hoping you are mature enough to see the light on your own.

It's nice that a decision has been made, but productive debate should never be considered pointless. And, as seen many times already, nothing is written in stone. Ending a debate and declaring it over before it's run it's course doesn't really work in the long run, because decisions then get reversed, or worse - the staff is forced to irrationally hold to a position because they stated strongly "we won't change".

Not if the details of the flaw are not disclosed. And by not doing so you leave the user at risk rather than giving them an opportunity to remove the risk. And we are not discussing the change to the wording of the text. Neither of us has given issue to that. We have voice disagreement with your assertion that the best thing to do is to not inform the user until after a fix is available. And no there is nothing professional in that. It's nothing but self-serving.

It is you who are dismissing this discussion and the risk of leaving the user vulnerable.

No, it just shows a callous indifference to the security of those using the mods.

And yet I have committed neither slander or libel. Feel free to report any of my posts. I doubt I'll have any problems.

That decision has been made. But, by all means, feel free to continue.

Thank you.

In addition, many more things are being discussed in this thread other than just to delay or not delay. That decision may be made for now, but we all seem to agree the process in general needs work, and probably will continue to need work and improvement. Discussion is good for that.

I agree. It just seems that several people keep going back to whether or not users should be immediately notified when an exploit is discovered; I just wanted to make it clear that a decision on the matter was made, and it would therefore be better if they moved on to the other issues at hand.

Your reply confirmed my opinion:
1.- First of all I nowhere wrote that you're not a good coder, or you dont have knownledge. What I wrote (in my other posts too), is that you don't have experiance to see deeply a situation.
2.- As for the photo, even if I believe that a photo is 1000 words, it's something that I wasn't the first one got this opinion. There is a post in my site, much more before my post, where someone has the same opinion. And finally a profile (anywhere) is for giving a general view for the person.

as a Member or User:

i wish to be informed of a vulnerabilty... please

and also i wish a little more information about the vulnerabilty:

will it destroy the Server ?
will it destroy the database ?
will it destroy then vBulletin ?
will it destroy the mod ?
will it ..... ?

or ist there only a theoretical chance that some one can inject or whatever

without showing the real vulnerability.

So i have a better chance to deside to deactivate, deinstall, or close my whole system

thanks

Alfred

O RLY?

https://vborg.vbsupport.ru/external/2007/07/5.jpg

This is getting a little childish and unnecessarily personal not to mention approaching irrelevancy.

Back to the subject at hand, as someone said there are good reason to notify before a fix is issued and afterwards and it's perfectly possible to take a strong and valid stance either way. I don't particularly agree with being subject to stricter standards than vBulletin themselves (or at least I think those who have marked their modifications as supported could be given an immediate opportunity to do so) but that's OK. It's not unreasonable.

I think the most obvious change that could be made is allowing the modification authors (only) to post in the graveyard thread, which is a simple default switch to be flicked. They can then provide whatever information necessary if they so wish. If they don't, no problem.

Well, this is most probably for Coder's Forum but as I rejected that title, I'm posting it here as it's relative to this thread.

Everything is ok, most posts are under logic, but seems that all we forgot something. That part about "Reported by a Member". And I'm wondering:

"Has an average member the knowledge to check a mod for security risks? In my opinion checking for security risks it's much more difficult than programming. So, the reporter is not the average enduser who downloads the mod for his own use, but is a coder who download it for ....what really?"

I thought about it seeing where my security risk was for vbDigiShop. It was in the file which hundles the post back from the payment gateway. So someone gave special attention to that file for one of the following reasons:

1. To make changes so my mod to work with PayPal. By doing this he/she was breaking my copyright which clear stated that developing payment to work with PayPal is prohibited even if it was for his/her own use. I gave for free to public a full script by deactivating only the PayPal payments.
2. To get the code for use somewhere else. Something which is also breaks my copyright.

And now the critical question: "Do the Moderators plan to give me the details of a person who broke my copyright rules?"

Maria,

Please calm down now.

I never used the word "average" ;)
A coder is also a regular member on this forum, as opposed to a staff member.

Why the focus on who reported it? How does this knowledge help you or the users?

In my view it is a non-issue who was the person that reported a vulnerability, all that counts is that someone found a possible vulnerability and took the time (luckily) to bring it under the attention of us so we can take actions to get things resolved. The result is all that counts. You (and the users of your work) should be glad that someone took the time.

To answer your last question first: no we will not give out the name of the person that reported this.

Also you seem to have been jumping to some conclusions about how this person found the vulnerability and his intentions. I have no proof whatsoever that this person was trying to break your copyright. If you have such proof, please let me know and i will review this.

You seem to forget that we also have members that maybe consider installing a modification on their site and have the habbit of first checking the code before putting any third-party coding on their website.

How do you figure someone who reviewed your code from our site is breaking copyright laws? :confused:

First of all someone who reviewed my code (or revied anything, not only code) is not only breaking copyright laws. He is breaking the law about reviews, which is saying that to perform a review (in anything) and to post somewhere the results of this review is prohibited without the written permission of the author (in case for code) or the owner (in case of a product).

Make a simple google search for "reporting vulnerabilities" and you'll find it as many other useful information. Among the others (there are real examples there) the Reporter (who can never been anonymus) must give details like:

• Why he decided to make the review
• Why he choosen especially this software (if its about code)
• To prove that he founds only this vulnerability and that he hasn't hide in the past vulnerabilities that he found and didn't reported.

We will NEVER send out details of any vulnerability as this can cause people to abuse that information and exploit it.

Just a random article as an example:
http://www.cerias.purdue.edu/weblogs...s-law/post-38/

You released the modification here (to the public) for anyone to download. Therefore anyone can look at it and find any exploits it may have. No laws are broken doing this. Copyright laws are about stopping people from copying code and releasing it as their own (hence their name).

As for reviews - please show us this "review" law you refer to, becasue there is no such thing I know of (apart from which no review has been published anyway).

to download for use.. For nothing more....

I wrote it above. Actually is the perfect example for this topic. Also don't forget to follow the links in article's body. There are much more interesting facts to read there.

Thanks, and the affected is standing in the rain.

So, if a vulnerability of an mod is reported and i receive a e-mail to deinstall the mod,
my decision must be, to deinstall the whole vBulletin itself ! Because i do not know and can not decide if the vulnerability of the mod also breaks (or has broken) a leak in vBulletin itself :eek:

So, if you are not willing to give any (also low) detail to vulnerability of a modification - so as a part of informing the customers i appreciate to hear a loud and clear opinion that after deinstalling the mod (or what ever is to do) it has no harm to vBulletin and the system itself.

Thats only a point of view from a customer...

That's someone's blog, not a law.

Finally it became a word's game. I wrote to follow the links. Especially one links to a newspaper. Read the article from the news.

I'm not trying to play word games. That would be especially pointless since English isn't your first language, and we'd only end up misunderstanding each other even worse. I'm just trying to understand where you are coming from, and what you want to accomplish here. You're angry, I get that (I'm obviously occasionally hot headed myself). But we seemed to have moved past anger into other more confusing things.

If you allow it to be downloaded, and it's visible source, then people can read it. This is not against copyright law (or any other law).

You cannot release a modification here and stipulate that its backend can't be looked at; that's not only illogical but incredibly bad practice (for end-users).

Further, one need not modify your code to see that it contains vulnerabilities...

If there are any word games in this thread, then these start with this post.

http://dictionary.cambridge.org/defi...7665&dict=CALD

review
verb [T]

1 to consider something in order to make changes to it, give an opinion on it or study it:
The committee is reviewing the current arrangement/situation.
Let's review (= talk about) what has happened so far.
He reviewed (= thought about) his options before making a final decision.

If someone is looking into code, then obviously the word 'review' is used in the above meaning.

2 If critics review a book, play, film, etc. they write their opinion of it:
I only go to see films that are reviewed favourably.

This is the type of review that you are aiming your angre at. Nothing like that happened on this website.

I have mentioned in the thread earlier that I have seen changes over the years on vb.org and how things ebb and flow

however what has been shown in this thread is how people with authority respond and their autocratic manner.

At one point this thread had reached a solution and I recall posting, thanking everyone for making progress, since then it seems to have become a dog's breakfast which highlights the joys of such forums where so many persons with opinions get involved

it also seems as though microhellas has certain gripes relating to the way she has been treated over time by vbulletin staff and its representatives and feels that she has been unfairly treated on a number of occasions, to her this may be perception however only time will show. It makes me wonder whether one can ask whether vbulletin have plans to launch add-ons very similar to what microhellas has already put out?

because if this is indeed so then I suppose she had reason for her gripes

only time will tell

as for this thread, for me I have seen enough and actually don't really care much as its better the devil you know than the one you don't know

mazel tov

Now that they are releasing paid add-ons, I am sure they will be stepping on some toes. It's unavoidable. How aggressive they are going to be, it's hard to say. Most of us are pretty defenseless. But, if they come up against vbSEO or PhotoPost, it could get interesting.

This thread now seems to be moving into the realms of fantasy, vbulletin.org do not treat reports of an exploit in any modification differently beacuse of some vague possible future clash with a potential/posible/maybe future Jelsoft product, that's just ridiculous.

The last few pages of this topic have gone nowhere really (just in circles) and it's heading towards closure.

it reached its climax around page 4 or 5 when Wayne Luke gave a solution

thereafter we have had a clear display of various behaviour from both sides no matter what one side may think

I never said that. I was responding rationally to the somewhat OT comment about vBulletin releasing paid add-ons. Geesh, do you have to be so heavy handed in everything you post, all the time, Paul?

I just will like to say that i never install a hack to my board before checking the code. I also first install all mods to my test server and check possible bugs etc before making any change on my live server. Therefore i review all the codes i have in my board ( expect vBSEO because the code is not visible ) . The only point in here is there has been a vulnerability found in a coders mods. The coder also sell the same products . Because the vulnerability found in her mod and also her coding structure is not similar to vBulletin way she loose some money because of possible angry customers. And then she comes here and throws her anger all around which i believe she has no right to do. Because this site is based on sharing and the staff also have a responsibility about the members since lots of users data are on danger. The procedure can be developed but i believe the key point shall only be protecting members.

I think that confirms that this thread has out-lived it's sell by date, completely off topic.

I'm off on holiday now so my last action before leaving is to close it.