Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted November 10, 201311 yr Hello, Premium support appears to be a great option, but can someone from IPS elaborate on why security updates are not made available to all customers at the same time regardless of support level? Thanks!
November 10, 201311 yr Security updates are made available to all IPS clients at the same time, public announcement. The difference you've noted above is that IPS will install these security updates for you just before the public announcement.
November 10, 201311 yr Premium support customers as part of their premium support get their sites patched before we make the public release. This is not something we hold back from the public, they are just done first is all.
November 10, 201311 yr Premium support customers as part of their premium support get their sites patched before we make the public release. This is not something we hold back from the public, they are just done first is all. Not sure if this is a good policy at all. Just to make more money you are basically putting all other license owners websites in danger. Hope this will change ASAP.
November 10, 201311 yr Management We're talking minutes before the announcement here. No conspiracy theories necessary :)
November 11, 201311 yr Once the patch is available, the exploit is wide open on all unpatched installations. Clients who have the need for priority support are more likely to be hacked than the rest of us, so it's in IPS' best interests to get those clients patched before the exploit is publicly known. It wouldn't exactly help improve IPS' reputation if forums like Neowin, any of the NFL forums or Minecraft Forum where hacked because their IT people where unavailable at the time of the announcement (I'm just assuming these have premium support). Several support techs may also be required to get those forums back again, meaning it'll take longer for you to get your support tickets answered. When a possible security issue is found, it's normal practice to give the developers a set amount of time to release a patch, or wait till the patch is released, before the exploit is publicly available, as can be seen in these timelines: http://www.exploit-db.com/exploits/22398/ [21/10/2012] - Vulnerability discovered [23/10/2012] - Vendor notified [25/10/2012] - Patch released: '?do=embed' frameborder='0' data-embedContent>> [25/10/2012] - CVE number requested [29/10/2012] - Assigned CVE-2012-5692 [31/10/2012] - Public disclosure http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0060.html 2013/05/02: Advisory sent to IPB 2013/05/02: IPB responded 2013/05/03: Patch has been released 2013/05/03: IPB asked to wait at least a week before publishing advisory to protect their huge community 2013/05/13: Advisory is released
Archived
This topic is now archived and is closed to further replies.