[DragonByte Tech]

Quote:

Originally Posted by cowcowcow

well its only been 2 days. im not angry at all about that, its my responsibility to keep up to date with thats going on.

What im angry about is u providing a faulty product which has damaged my server. and even after that not providing a fix and asking me to PAY for it. for instance vbulletin ALWAYS provides security fixes if their product was faulty to begin with.

This is the most absolute basic expectation and i cant believe ure going to make me pay an addiitonal $44.95 instead of providing the fix for the security flaw, after it caused my server to be hacked.


Vbulletin - products will still be eligible for patches for known Security Vulnerabilities until it is determined that there is insufficient usage

Anyway we just compared the lite version 6.0.3 and 6.0.4 to find the difference and we had already addressed it, it was a simple fix which is why this is so remarkable because it is pretty irresponsible to have such a security flaw (AND A SIMPLE ONE) only be fixed for the present version... you should at least give instructions for what is broken for everyone else

You will notice that there is a "Until it is determined that there is insufficient usage" qualifier there for vBulletin versions - what this means is they do NOT go back and apply the update to EVERY version, only to versions they have determined a certain percentage of users are on - usually this is only the LATEST version of the product branch.

That is the same situation for us - the vast majority of our users are able to access the latest version, and those who aren't are spread over so many versions it would be impossible to update them all.

It is standard practice to require users to stay up to date with updates for software to receive updates and fixes, including security fixes. This goes for the majority of software, especially for small companies such as ours.

We have put the fix we added in the news thread for the security issue for the few users in the same situation as you, but please note we obviously cannot guarantee that fix will work on older versions and you continue to use them at your own risk.

No software is ever completely secure or bug-free, you should be aware that by deliberately running out of date software you will always be running that risk, just like people still running version 3.0 or 3.5 of vBulletin for instance.

You can see an example of vBulletins policy here: https://www.vbulletin.com/forum/show...ing-quot-patch

You will notice they did not update vB 4.0.1, 4.0.2, 4.0.3 etc, only the latest versions of the 4.X and 3.X series. This is despite the vulnerability being in all versions of vBulletin 3.X and 4.X

Iain