MyBB Community Forums

I don't think vulnerabilities should be made public in any way before they are patched. That would be insane, literally like releasing zero-days. Nobody does it, as far as I know, unless the vulnerability is already being exploited in the wild. In that case, security advisories are released. But it would make no sense to publish a vulnerability that has been secretly reported to the devs, before they fix it. It's standard practice to keep it secret and try to fix it as soon as possible.

So I really don't understand the point of this discussion. Maybe the point is that labrocca is worried that his forum might be hacked, because it's a sensitive target (HF right?), so other people (black hats) might get to know about the vulnerabilities (exchanged secretly in some way) and try to exploit them. So maybe labrocca would like to know about the vulnerabilities as soon as possible, even if there's no fix yet, because he wants to be able to mitigate the risk (he is probably able to hotfix them at once, long before an official fix is released). But while this would make sense for him, it wouldn't make sense for all the other webmasters that would NOT be able to fix the vulnerabilities, and would still have to wait for an official release, and meanwhile hope that they don't get hacked because the news (and probably also the details) of the vulnerability are now public.

I think some companies provide special advisories for some of their most important clients, say, Microsoft will communicate with some antivirus companies before anybody else, or Google will provide details to some other vendors but not publicly, etc. In the same way, MyBB could provide special security advisories to some trusted partners, for example telling labrocca about the vulnerabilities before they are made public, but the question is... is labrocca a trusted partner? I guess not. So as you can see there isn't a solution for this "problem".

I completely understand why the MyBB dev's would like to keep this information from the public but at the same time if I was in labrocca's shoes with a forum the size of his I would want to be given the chance to patch/mitigate the exploit myself. There's always a risk involved regardless which direction the MyBB dev's take, but maybe offering a program for big board owners and trusted members to be looped in earlier than the general public would be a good middle ground so that the people would would be impacted the most would be able to opt-in and stay ahead of the exploits while keeping malicious users in the dark still. Heck I'm sure the big board owners would be fine with a membership fee to such a mailing list which would also help support faster turnaround times for security patches.

A great example of responsible disclosure to trusted parties is CloudFlare and their WAF feature that will apply patches to 0-day exploits before software developers have a chance to roll out a security update. Software developers loop in CloudFlare prior to the general public and they can push out an update to their users to block said exploits quietly offering a big level of protection to the internet without revealing unpatched exploits. Of course CloudFlare is at at a different level, but surely there are some people still in the community that have earned the trust of the MyBB devs over the years right?