Joe Brinkman wrote
Also, because these vulnerabilities have existed for a couple of years there was no reason to create a panic in the community. Prior to this there is no evidence that anyone had discovered much less exploited these vulnerabilities even though numerous audits by professional security organizations and governments had been performed. Delaying notification until the DotNetNuke team had a chance to create a patch would not have jeapardized their own customers and would have kept the rest of the community safe until a permanent fix could have been distributed.
Just to emphasise Joe's point here - the two isses identified by PowerDnn have existed for (1) 18 months at least and (2) since September 2004, and have NOT ever been reportd as being taken used to target a site.
Therefore the case that this "panic" was neccessary is spurious - it could have been fixed within 24-48 hrs without raising this panic if PowerDNN had followed normal industry-standard security practices.
No-one here is saying that PowerDNN's service is not excellent - Ed is obviously happy with his service - and his testimonial is front and center on their home page.
The issue here is the un-professional response shown by PowerDNN in panicking the community with:
- an unneccessary email blast to its clients 24 hrs before releasing the information to the Security alias - its the timing that is the problem - taking advantage of the issue before reporting it through the appropriate channels
- a blatant (at least to many people on these forums) attempt to make money from the community with the Security Scanner tool and
- the Press Release mentioned above - which was not neccessary and again promotes PowerDNN as being the white knight that saved DotNetNuke, rather than the Company that caused the scare.
I have attempted to give them the benefit of the doubt - as you can see by my comments on other threads, but so-far PowerDNN have done nothing to justify that and my respect for them is fast disappearing.
Tony has my IM and has not been reluctant to use it when he wants me to provide him with free advice - the least he could have done would have ben to IM me and let me know they had found an issue.