David Poindexter wrote:
Thank you for enlightening us a bit on this Will. I would love to understand more about these "other severe issues". We have many client sites built using DNNGo themes, or some variation thereof, and we are concerned about any vulnerabilities that could still exist post-fixes-being-applied. Is there a way for you to share these (publicly or privately)? I am surprised to hear there may be "public exploits that occurred because of these vulnerabilities".
All issues that were being actively exploited AND the additional issues that we found were all properly patched when the notices were sent. We didn't send those notices until we confirmed all known issues were addressed and the new versions were available on the DNNGo website.
Furthermore, I would highly suggest that if DNN Corp is going to start playing a role to monitor and act on "severe code quality issues and coding practices", then clear guidelines need to be published as to what the standard is.
Let me be clear. We aren't in a position yet to monitor the code quality of everything on the Store, but we want to get there. Obviously, before we start doing anything like that we would have clear guidelines available. The DNNGo situation wasn't about us randomly policing a vendor. A security issue was reported and we were asked to investigate. We had to take appropriate action based upon what we found.
As a side note, keep an eye out for a blog post from Clint Patterson. He will be sharing ideas for how we would like to engage more with the community to help with matters such as this.
Thanks,
Will