Hi Guys,

We patched our customers immediately due to the severity of the issue.  We never charged a single PowerDNN customer any money for the fix, and within 24 hours of patching our customers sites we has the information over to security@dotnetnuke.com.  We have since pulled the scanner down and actually quite charging non-customers as of yesterday.  As of today, PowerDNN has made a little over $100 in charging non-customers for the patch.  We revealed the information to the core team 24 hours ago, so the rumor going around that we have withheld information is untrue.  Because of the mailer we sent out to our clients the information got out quicker than we anticipated (lesson learned) and it made it seem as if we were holding information back.  Once we had time to gether our information, we sent it over to security@dotnetnuke.com and 24 hours later I am still hearing from people that we haven't done so.  We approached this in a way we feel is appropriate, find the issue, build a fix, secure our customers, report findings to DotNetNuke security team.  We made some mistakes on how information got out, but our main goal was to give our customers a head up on a security flaw that would not be patched until a 4.8.3 release.  I can see how things got portrayed the way they did, but I assure you we have got the information to the correct channels. 

I assure that the security flaw is very serious, and it has been downplayed on this board.  If you are a customer, I encourage you to open a ticket or call and I would love to give you a little more info.  We would only have gone to these lengths for something very serious.  I think some of the responses we have gotten over this, will disincent other companies to push the envelope and offer these types of services.

Having read the entire thread in the Announcements forum, Shawn's blog, and this thread - I think it is obvious that PowerDNN miscalculated and have received a probably deserved black eye. It is not so clear to me that they were behaving in the opportunistic fashion of which they have been accused. The way in which DNN folk - core and otherwise - piled on in a public form, before the communication issue with PowerDNN was resolved, displays a not very mature level of professionalism. It doesn't make DNN as a whole look good to have this kind of conflict and back and forth discussion while the problem is stil live. Wait until it is finally and totally resolved, and finally issue a clear, calm and professional assessment. If the conclusion is that there was malfeasance on the part of PowerDNN, describe the nature of that malfeasance dispassionately at that time.

What is sure to be the case is that by that time more facts will be known, and fewer mistakes will be made than in the heat of the moment. The DNN community will look much more professional, and that will in turn make DNN look more respectable and trustworthy as a platform with a future. It's always disappointing when passion takes over, and even more disconcerting when members of the core are involved. I think it is important that the record be set straight, but wait until the dust settles.

That said, I personally want also to register my disappointment in PowerDNN. I am not a customer of theirs, and they owe me nothing. But: One of you folks should have been on the phone with DNN core folk immediately as soon as you knew there was a problem, even while you were working to take care of your customers. I think you are wrong with your oft-repeated "we gotta take care of our customers first." You take care of them by working on the patch for your customized version of DNN as well as by communicating immediately with DNN core. And you coordinate communication about the issue with DNN core - even communication with your own customers. Obviously, you have raised a good point about needing to communicate with your customers in a timely fashion, so they don't overwrite your changes. So you cannot let DNN core absolutely dictate the time and manner of your communication with your customers. But you can let them know ahead of time, give them an opportunity to prepare. DNN core should have known just when your communication was going to go out to your customers.

There is very little excuse for not immediately and vigorously ensuring that you had fully apprised DNN core of the situation.

And having said that, it seems to me this is a mistake in judgment on your part, rather than a calculated effort of some sort. I hope that is indeed the case.