Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback
Reload this Page Sending of Hacks to the Graveyard
FAQ Community Calendar Today's Posts Search

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #11  
Old 07-25-2007, 01:06 AM
quiklink quiklink is offline
 
Join Date: Jun 2007
Posts: 81
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by hambil View Post
I've given several.

1) Calling attention to a vulnerability before a fix is available actually increases the risk to the end-user.
That's not a good reason. They are still vulnerable to the attack. You don't know exactly how widespread the problem is before being finally notified about it. And are these notices detailing exactly how the exploit is occurring?

Quote:
2) Not giving clear instructions, but simply saying 'disable' or 'uninstall' will likely not remove the vulnerability is many cases, since file edits and template edits may have been made.
Template edits aren't usually going to be a security issue. File edits yes I agree would. While detailed removal instructions would be good, it would be difficult for vborg to give such instructions for every mod. I agree that in the graveyard the info for proper removal/uninstall should be left so that the user can get that info if they don't already have it.

Quote:
3) Sending these notices out over and over again, as is starting to happen now, creates an atmosphere in which the users will simply begin to ignore them, once again increasing their risk.
That's the end user's problem. You can't fix stupid.

Quote:
Now, if a fix is not provided by the author within a reasonable time frame, then pulling the hack and notifying the users is the only logical choice. But, it is not the best choice as a first line of defense.
What exactly is a reasonable time frame for leaving a user vulnerable? Answer: No time, they should be informed immediately. Are you willing to accept the responsibility and liability for any damage or theft of information because you didn't announce the vulnerability when you first learned about it? No I thought not...But believe it or not, an end-user could quite easily decide to haul you into court for doing just that. You can post all the disclaimers in the world and it doesn't protect you.

Quote:
There are reasons why Jelsoft and other companies don't operate that way. It is logical to assume they don't want to harm their customers because that's bad for business. So to believe that the policy being used here is the correct policy, you have to believe that everyone else in the industry got it wrong.
Everyone in the industry certainly does not do this. In fact, with most major applications the vulnerabilities are posted immediately on known sites to get the information out as fast as possible. This is often how the developers learn about the vulnerabilities in their own code in the first place.

Sorry but all I am seeing from this is an attempt by the mod developers to cover their reputations at the risk and expense of the user.
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 04:36 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08101 seconds
  • Memory Usage 3,603KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (46)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (41)post_thanks_box
  • (41)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (41)post_thanks_postbit_info
  • (41)postbit
  • (37)postbit_onlinestatus
  • (41)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete