Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
1977Burton Posted November 10, 2013 Posted November 10, 2013 Hello, Premium support appears to be a great option, but can someone from IPS elaborate on why security updates are not made available to all customers at the same time regardless of support level? Thanks!
Aiwa Posted November 10, 2013 Posted November 10, 2013 Security updates are made available to all IPS clients at the same time, public announcement. The difference you've noted above is that IPS will install these security updates for you just before the public announcement.
Rhett Posted November 10, 2013 Posted November 10, 2013 Premium support customers as part of their premium support get their sites patched before we make the public release. This is not something we hold back from the public, they are just done first is all.
1977Burton Posted November 10, 2013 Author Posted November 10, 2013 Looks good & thanks for the clarification :)
GreenLinks Posted November 10, 2013 Posted November 10, 2013 Premium support customers as part of their premium support get their sites patched before we make the public release. This is not something we hold back from the public, they are just done first is all. Not sure if this is a good policy at all. Just to make more money you are basically putting all other license owners websites in danger. Hope this will change ASAP.
Management Charles Posted November 10, 2013 Management Posted November 10, 2013 We're talking minutes before the announcement here. No conspiracy theories necessary :)
Martin A. Posted November 11, 2013 Posted November 11, 2013 Once the patch is available, the exploit is wide open on all unpatched installations. Clients who have the need for priority support are more likely to be hacked than the rest of us, so it's in IPS' best interests to get those clients patched before the exploit is publicly known. It wouldn't exactly help improve IPS' reputation if forums like Neowin, any of the NFL forums or Minecraft Forum where hacked because their IT people where unavailable at the time of the announcement (I'm just assuming these have premium support). Several support techs may also be required to get those forums back again, meaning it'll take longer for you to get your support tickets answered. When a possible security issue is found, it's normal practice to give the developers a set amount of time to release a patch, or wait till the patch is released, before the exploit is publicly available, as can be seen in these timelines: http://www.exploit-db.com/exploits/22398/ [21/10/2012] - Vulnerability discovered [23/10/2012] - Vendor notified [25/10/2012] - Patch released: '?do=embed' frameborder='0' data-embedContent>> [25/10/2012] - CVE number requested [29/10/2012] - Assigned CVE-2012-5692 [31/10/2012] - Public disclosure http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0060.html 2013/05/02: Advisory sent to IPB 2013/05/02: IPB responded 2013/05/03: Patch has been released 2013/05/03: IPB asked to wait at least a week before publishing advisory to protect their huge community 2013/05/13: Advisory is released
Recommended Posts
Archived
This topic is now archived and is closed to further replies.