[quiklink]

Quote:

Originally Posted by -=Sniper=-

@quiklink;

ok, so WILL you uninstall vbulletin if it had a security issue? yes or no? will you uninstall a hack or no? please don't answer! Why don't Jeloft inform me about security issues when discovered but only when they have published the fix?

While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known. It's one thing to have a liability on your own product, it's quite another to assume potential liability on a 3rd party product. And regardless of what Jelsoft does with it's own products, what YOU are doing is advocating allowing the end users to remain vulnerable for a security issue you created.

Quote:

Do you feel the same way about vbulletin as a standalone product?

Jelsoft's practices have no bearing on this discussion because these are not Jelsoft mods.

Quote:

You have to understand the issue was reported privately hence no one knows about it (or very few) so the author has the opportunity to fix it and tell users at the same time. Now if someone made the security issue public, fair enough you would inform as many users as possible, since someone will now try to exploit the issue no doubt.

Obviously at least one person knows of the vulnerability, there quite possibly could be many others who are choosing to exploit the vulnerability rather than announce it. Again, you advocate allowing this to happen.

Quote:

Now if you ask users to uninstall mods, e.g. if you had articles mod, six months later there is a security issue, by now the site might have plenty of articles etc and on uninstall everything will be lost, would you want that? you have to understand not everyone is technically minded or even simple things like uninstalling or disabling would mean the same thing to them...

It's up the the end user to make that decision. You have no right to make it for them and you have a responsibility to inform them of the vulnerability immediately so that they may protect themselves from harm through code you produced.

Quote:

as always there are pro/cons to every procedure.

There is no pro to your argument. Only cons, and the con is to the end user you want to keep at risk to protect your own reputation.