vb.org Archive - View Single Post

Marco van Herwaarden · #8 07-25-2007, 05:30 PM

Quote:

I know the old policy was to ask the author to fix a hack, and then only after they didn't (for a very long time in some cases) would it get either fixed by a staff, or have the files removed (but left in place, not zoomed off to a graveyard).

Okay, let me focus into some of these:
- The policy itself has never been changed, but as the site is changing the practical implementation might have undergone some (minor) changes.
- It has always been the policy that if a severe (read: dataloss/datamanipulation for users) vulnerability is found, it will be made unavailable immediate and users/author notified.
- We have removed the part about non-severe vulnerabilities (which did have a 7-day grace period) as it turned out that this was hardly ever the case. Almost all discovered vulnerabilites where in the 'severe' category.
- Previously we did not have a Graveyard, so the next best option was to remove the file. This however ment that the file was also not available anymore to staff for a review of the vulnerability. By moving to the graveyard instead, we still have the original thread with attachments. i see this as just a better implementation of the same policy.
- Additional benefit of this (and yes i know some will claim this is not a benefit) is that the thread is also closed for discussion. What we had a few times when we only removed the file, is that members would start a discussion on the vulnerability itself, giving out a lot of information that could be abused, or provide partial solutions giving other users a false sense of security.
- A staff member might (this will ahrdly ever happen) provide a fix. This has always been in our policy.

Some may say that the above is a change in the policy, personally i do not see it that way.

I hope my answer give you a bit more insight now in things.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01145 seconds Memory Usage 1,765KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_quote (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: