2019-07-01, 08:53 PM
I don't think vulnerabilities should be made public in any way before they are patched. That would be insane, literally like releasing zero-days. Nobody does it, as far as I know, unless the vulnerability is already being exploited in the wild. In that case, security advisories are released. But it would make no sense to publish a vulnerability that has been secretly reported to the devs, before they fix it. It's standard practice to keep it secret and try to fix it as soon as possible.
So I really don't understand the point of this discussion. Maybe the point is that labrocca is worried that his forum might be hacked, because it's a sensitive target (HF right?), so other people (black hats) might get to know about the vulnerabilities (exchanged secretly in some way) and try to exploit them. So maybe labrocca would like to know about the vulnerabilities as soon as possible, even if there's no fix yet, because he wants to be able to mitigate the risk (he is probably able to hotfix them at once, long before an official fix is released). But while this would make sense for him, it wouldn't make sense for all the other webmasters that would NOT be able to fix the vulnerabilities, and would still have to wait for an official release, and meanwhile hope that they don't get hacked because the news (and probably also the details) of the vulnerability are now public.
I think some companies provide special advisories for some of their most important clients, say, Microsoft will communicate with some antivirus companies before anybody else, or Google will provide details to some other vendors but not publicly, etc. In the same way, MyBB could provide special security advisories to some trusted partners, for example telling labrocca about the vulnerabilities before they are made public, but the question is... is labrocca a trusted partner? I guess not. So as you can see there isn't a solution for this "problem".
So I really don't understand the point of this discussion. Maybe the point is that labrocca is worried that his forum might be hacked, because it's a sensitive target (HF right?), so other people (black hats) might get to know about the vulnerabilities (exchanged secretly in some way) and try to exploit them. So maybe labrocca would like to know about the vulnerabilities as soon as possible, even if there's no fix yet, because he wants to be able to mitigate the risk (he is probably able to hotfix them at once, long before an official fix is released). But while this would make sense for him, it wouldn't make sense for all the other webmasters that would NOT be able to fix the vulnerabilities, and would still have to wait for an official release, and meanwhile hope that they don't get hacked because the news (and probably also the details) of the vulnerability are now public.
I think some companies provide special advisories for some of their most important clients, say, Microsoft will communicate with some antivirus companies before anybody else, or Google will provide details to some other vendors but not publicly, etc. In the same way, MyBB could provide special security advisories to some trusted partners, for example telling labrocca about the vulnerabilities before they are made public, but the question is... is labrocca a trusted partner? I guess not. So as you can see there isn't a solution for this "problem".