Results 1 to 25 of 94
-
10-31-2013, 12:11 PM #1Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
WHMCS: Response to Recent Security Events
This just came out:
Over the last few months, WHMCS has released an unusually high number of security related updates - more than we would have liked or than you would have expected.
We understand the inconvenience that these cause, and their severity.
We have tasked several staff members with doing an internal code audit which is now well underway, and they have already identified a number of items which were addressed in the last release. We plan to continue our internal audit and release further updates as required.
We will also be commissioning at least one additional external security audit, and introducing a Security Bounty Program. External security audits are not something that are new to us, however as a security audit alone is not a guaranteed solution, we will be increasing the frequency of both internal and independent external security audits being performed.
As mentioned above, we will also be launching a Security Bounty Program designed to reward those who find issues in our software and report them to us in a responsible and safe manner. In order to encourage this we will be offering free development licenses to security researchers and monetary rewards of up to $5000 per issue. Further details will be released about this in the near future.
These steps are just the start of our overall plans to proactively address your concerns. As we move forward additional announcements will be made.
We appreciate the trust that you put in us, and we intend to make sure that trust is not misplaced.
Matt Pugh
Founder/CEO
Like I said in prior posts, I for one believe there will be alot of change.Last edited by Steven; 10-31-2013 at 12:15 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-31-2013, 12:13 PM #2Junior Guru Wannabe
- Join Date
- Oct 2013
- Posts
- 42
This is good.
-
10-31-2013, 12:14 PM #3Web Hosting Evangelist
- Join Date
- Apr 2013
- Location
- Data center
- Posts
- 541
Interesting. At least the guys at WHMCS are starting to plan for the future. Thats a good start...
-
10-31-2013, 12:20 PM #4Web Hosting Master
- Join Date
- May 2010
- Location
- Bhakkar
- Posts
- 1,592
A good move. At least they have realized that they will have to conduct a code audit to remain in the market. Best of luck for future stable versions...
██ HostinPK.com
██ [US/UK] Shared Hosting, Reseller Hosting, VPS Hosting
██ cPanel/CWP | Softaculous | WHMCS | Dedicated IP | SSL
██ We accept PayPal, 2checkout, Credit Cards, and Bank payments
-
10-31-2013, 12:27 PM #5Temporarily Suspended
- Join Date
- Jun 2012
- Location
- London, United Kingdom
- Posts
- 296
$5000? A clever way to do it
-
10-31-2013, 12:54 PM #6Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
10-31-2013, 12:58 PM #7Web Hosting Master
- Join Date
- May 2010
- Location
- Lincoln (UK)
- Posts
- 901
I think I read that is per release, so if 20 people report 20 different issues then that is upto $250 each (ok still not bad and hopefully there would not be 20 different exploits per release.
The big question is though, has this announcement made anyone change there mind about leaving WHMCS?
-
10-31-2013, 01:00 PM #8
Not here.
I'll give them time to prove themselves, but we've heard the same old same old thing from them before.
As of now, I'm just waiting for the system to come out that works well enough that I can use. Their attitude regarding security, and their customers is, well, pathetic.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
10-31-2013, 01:03 PM #9Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
10-31-2013, 01:10 PM #10Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
I'll give them time to prove themselves, but we've heard the same old same old thing from them before.
What, in everyone's opinion, is an appropriate length of time for WHMCS to get their act together? I want to give them a fair shot as well, but I can't hold my breath forever. I've pulled as much as I can get away with out of production, but that's certainly not a "fix".
-
10-31-2013, 01:12 PM #11Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
-
10-31-2013, 01:18 PM #12Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
The hardest part for WHMCS will be implementing any changes found from the audit that isn't going to completely knacker there modules or the countless other modules on the planet for it's software.
-
10-31-2013, 01:27 PM #13Junior Guru
- Join Date
- Dec 2007
- Location
- Scotland
- Posts
- 177
These steps are just the start of our overall plans to proactively address your concerns. As we move forward additional announcements will be made.
‡ David Man
‡ www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting
‡ www.direvps.com - When nothing but price matters! - Brutal marketing for a brutal market!
-
10-31-2013, 01:37 PM #14Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-31-2013, 01:38 PM #15Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-31-2013, 01:38 PM #16Web Hosting Master
- Join Date
- May 2003
- Location
- San Francisco, CA
- Posts
- 1,506
WHMCS: Response to Recent Security Events
* GeekStorage.com - Offering awesome website hosting for over 13 years!
* Shared Hosting * Reseller Hosting * Virtual Private Servers * Dedicated Servers
* Have questions? Send us an e-mail, we'd love to hear from you!
-
10-31-2013, 01:39 PM #17Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
-
10-31-2013, 01:41 PM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Never received anything in the form of money from cPanel. We had asked them about bounties several months ago and were told at this time no they do not have anything like that but possibly could one day.
I have sounded up beat about WHMCS for a while now. They + cPanel are good guys and I have talked with them pretty extensively.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-31-2013, 01:43 PM #19Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
-
10-31-2013, 01:44 PM #20Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I received a partner package, when I went there as a partner visit. Lots of people get them. Anything received, has zero to do with any security work.
They have never said, hey heres payment for that bug you sent us. They (cPanel) does not offer such a program.
Not really sure why you seem set on derailing a thread with things that have no reason to be in here.
This is to discuss WHMCS's next moves.Last edited by Steven; 10-31-2013 at 01:50 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-31-2013, 01:51 PM #21Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
Roger that.
No intention whatsoever of derailing the thread, I just wanted to know why your feelings about WHMCS suddenly changed. WHMCS needs a full blown code rewrite, and that'll take quite a few months. Their bounty program is a damned good move (albeit belated).
These are all steps in the right direction and are all great improvements across the board.
-
10-31-2013, 01:53 PM #22
And just because you're gullible enough to believe them doesn't mean you are.
Good for you, what, you want a cookie?
The fact remains though, despite your ignorance of the issues, Matt is the one that is responsible for this fiasco, and all the ones previous. He's been let off with a simple slap on the wrist by people like you so many times it's not funny. Nobody is holding people accountable for their actions here, nobody.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
10-31-2013, 01:54 PM #23Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
-
10-31-2013, 01:54 PM #24Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-31-2013, 01:57 PM #25Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Our opinion has changed because, of how they act. I looked David@WHMCS in the face and told him, "Hey, there is a vulnerability in ...." and he went and found/confirmed it while I was sitting there. To me that is responsible. He could have said no no, not possible like other companies have done.
Really, for the most part if you report something to them they do act on it.
Take this for example:
https://www.google.com/#q=site:whmcs.com+safeornot.com
These guys have been reporting for years, even before they started crediting.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
Similar Threads
-
How should WHMCS respond to recent attack?
By alnitech in forum Web Hosting LoungeReplies: 14Last Post: 05-23-2012, 02:38 PM -
Recent Security Threat
By MACH9Servers in forum Web HostingReplies: 7Last Post: 04-25-2012, 10:34 AM -
Recent masters grad, will relocate for full time employ, security/sysadmin focused
By ccole in forum Employment / Job RequestsReplies: 0Last Post: 05-15-2010, 02:06 AM -
Need someone to check my server security (A recent DDoS took down my site)
By Phatmat in forum Systems Management RequestsReplies: 6Last Post: 07-26-2009, 03:29 PM -
Bush's statement after recent events in Iraq.
By Acroplex in forum Web Hosting LoungeReplies: 11Last Post: 04-13-2004, 07:07 AM