Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN: Put up or shut upPowerDNN: Put up or shut up
Previous
 
Next
New Post
5/23/2008 10:42 AM
 
Ed DeGagne


Ed DeGagne's Avatar

www.southvillagesoftware.com
Joined: 12/2/2003
Posts: 420

The unprofessionalism of a public "lynching" by the original poster (and a few others) astounds me to no end.

I've been a customer of PowerDNN since their inception and have not had one single issue with the way they handle their end of the business. I am actually quite proud to have them "watching my back" instead of being an absentee landlord as a hoster.

They have been nothing but professional, courteous, helpful and completely knowledgable on the subject of hosting, DNN, and best practices. If they felt that there was a serious security flaw in DNN that could potentialy affect 1000's of installed client bases on THEIR SERVERS (which BTW is their property, not yours) then they had every right to alleviate that threat IMMEDIATELY until the core team could be notified and a proper fix released, if needed.

The only issue I take with PowerDNN themselves is that they released the information to the public through their site and through a press release prior to talking with the core team or Shawn personally. This lack of judgement, for lack of a better description, could have potentially affected many DNN users sites because of the very public nature of the information released.

I would only ask that EVERYONE out there follow the proper guidelines in reporting security issues to the core team and not publicly first. The interest of the entire DNN community is at risk when doing so.

It's quite unfortunate that a lack of judgement and professionalism was displayed in what is otherwise a very strong and courteous membership.

 

Edward DeGagne | Applications Engineering Manager
ektron, inc.
542 Amherst Street, Route 101A | Nashua, NH 03063

Ed DeGagne
South Village Software
 
New Post
5/23/2008 10:46 AM
 
Joe Yaya

Joined: 5/18/2007
Posts: 23

Brandon Haynes wrote

It's truly unfortunate that you guys still don't get it.

Brandon

So what exactly don't they get? It looks to me like a case of  "no good deed goes unpunished."

Joe
 
New Post
5/23/2008 11:02 AM
 
Bill Walker

Joined: 2/28/2006
Posts: 137

I hope this gives everybody out there a little more insight into what PowerDNN's primary concern was here:

http://www.emediawire.com/releases/DotNetNuke/Security/prweb964344.htm

So much for the "we just emailed our customers" line...
 
New Post
5/23/2008 12:23 PM
 
Joe Brinkman


Joe Brinkman's Avatar

blog.theaccidentalgeek.com
Joined: 5/18/2003
Posts: 2356

Ed,

  People were more upset by the ongoing actions that occured long after PowerDNN had been told that they were detrimental to the community

1.  Ignoring the security reporting procedures which were put in place and which follow generally accepted practices for security professionals (guidelines).  Even if you accept that there first concern was protecting their customers, they had the time to create and post a security scanner which occured almost 12 hours before there was any communication with the core team.  This is not insignificant amount of time, and it is time that we could have been validating the bug and preparing a fix, along with presenting a unified response from both DotNetNuke and PowerDNN.

2.  Posting a security scanner which allowed any hacker to detect portal versions and quickly identify potential vulnerabilities.  Even after they were first requested to remove the scanner, it continued to remain online for more than 24 hours.

3.  Continuing to post false or misleading information regarding the events.

Given the nature of the particular vulnerabilties, there were remedies available to PowerDNN that did not require the alteration of any of their customers sites or the issuing of a security notification, much less creating a press release.  Also, because these vulnerabilities have existed for a couple of years there was no reason to create a panic in the community.  Prior to this there is no evidence that anyone had discovered much less exploited these vulnerabilities even though numerous audits by professional security organizations and governments had been performed.  Delaying notification until the DotNetNuke team had a chance to create a patch would not have jeapardized their own customers and would have kept the rest of the community safe until a permanent fix could have been distributed.

Joe Brinkman
DNN Corp.
 
New Post
5/23/2008 12:35 PM
 
Greg Brown


Joined: 6/14/2006
Posts: 669

You'll notice that the original poster of this thread has a grand total of 1 posts..........   Whomever this was needs to grow some nads and post under their usual account.
 A disappointed PowerDNN customer?  In three years I've never heard of one - I've heard complaints about the cost but never the service.

Greg
 
 Page 2 of 4
Previous1234Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN: Put up or shut upPowerDNN: Put up or shut up


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out