MyBB Community Forums

Full Version: Security announcements
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Is there any low-traffic notification channel for MyBB and mod security updates? I prefer email notifications more than anything else. I am considering MyBB installation, but I am wondering how do I know that I need to install an update?

There's the MyBB blog that allows email subscription, but it contains lots of non-security posts and it doesn't cover mods. Can I setup MyBB to check for updates automatically and notify me via email?
You can check the latest version via the ACP.
(2012-10-23, 08:57 AM)Leefish Wrote: [ -> ]You can check the latest version via the ACP.

Just check or actually get a notification? Obviously I am not going to check the ACP daily. And what about new versions of mods?
You get the alerts in the ACP.

I DO check daily, other than that you would have to subscribe to the blog as far as I know.
Hmm, that's unacceptably manual. What about setting up an announcement mailing list? This is really essential for server software. Tomcat has such a mailing list, for example. WordPress has plugins that email you about any pending updates.
We removed our mailing list shortly after was hacked in favour of social networks - where you can find MyBB on Facebook or follow MyBB on Twitter.

In MyBB 1.8, which is currently in development, we announced we were improving our contact with administrators by providing updates directly in the ACP. We'll also be automating the notification process you see in the ACP. You'll be able to set this to how ever often you like; every week, every day or even every hour.
While it's nice to have all these options, neither of them really solves the problem. Security/update notification system must be low-traffic in order to be useful. And mods cannot be left out of the system since they are a major source of vulnerabilities. I suppose this will require a special mod similar to WordPress update notification plugins.
You want MyBB to email you when a third party mod has a vulnerability?
(2012-10-23, 09:08 PM)brad-t Wrote: [ -> ]You want MyBB to email you when a third party mod has a vulnerability?

My question exactly. If you're using a plugin from a third party, you really should be asking the mod author to contact you if anything.
A security notification system is only as useful as the methods you use to receive them. If we release a security update within 24 hours of a report, we can logically assume we want users to read about it and protect themselves within a similar timescale.

20% of the Internet-connected world have a Facebook account. More up to date people have a Twitter account but not as many. You can add your email to our blog (click Follow) to receive news and updates (we don't post that much crap). Finally, you will be receiving updates automatically via the ACP in 1.8 in the future.

So when we push a security release protocol is to announce via all sources. Meaning whatever technology you use you should receive the news. That's pretty much the best we can do.
Pages: 1 2