All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Whmc Security Blog Post
Awmusic12635
Member, Host Rep
This is good news: http://blog.whmcs.com/?t=80970
Over the last few months, WHMCS has released an unusually high number of security related updates - more than we would have liked or than you would have expected.
We understand the inconvenience that these cause, and their severity.
We have tasked several staff members with doing an internal code audit which is now well underway, and they have already identified a number of items which were addressed in the last release. We plan to continue our internal audit and release further updates as required.
We will also be commissioning at least one additional external security audit, and introducing a Security Bounty Program. External security audits are not something that are new to us, however as a security audit alone is not a guaranteed solution, we will be increasing the frequency of both internal and independent external security audits being performed.
As mentioned above, we will also be launching a Security Bounty Program designed to reward those who find issues in our software and report them to us in a responsible and safe manner. In order to encourage this we will be offering free development licenses to security researchers and monetary rewards of up to $5000 per issue. Further details will be released about this in the near future.
These steps are just the start of our overall plans to proactively address your concerns. As we move forward additional announcements will be made.
We appreciate the trust that you put in us, and we intend to make sure that trust is not misplaced.
Comments
Finally!
So, the localhost.re guy/gal can move to Hostbill or some other closed source backdoored program to find the backdoors and genuine mistakes.
Props to him, and thanks.
Today we are more secure, even though it wasnt easy for some people.
Seeing as how there seem to be so many whmcs security experts around here I would think a lot of them are going to make a lot of money....[/snark]
This seems to vindicate the localhost.re person. Apparently WHMCS, all along, was against rewarding security researchers who contacted them over vulnerabilities in their product. It's good to see their change of heart, it will also be interesting to see if localhost.re goes silent now.
Not only that, but it seems they denied vulnerabilities disclosed for free.
I hope the localhost.re person wont go silent, there are many companies out there selling crappy code, a place for disclosure of encrypted code in safety is needed, some people seem to not move unless exploits are published.
Because his writing of scripts to exploit the vulnerabilities and openly offering them to the public was a gesture of good faith and a great idea.
In this case it may have helped WHMCS make this decision, but be-ware the straw man.
I do not care who did this as long as solus and whmcs started to take security seriously.
Running with a bomb on your tail is not something many people like.
Sometimes it takes just that. Remember, SolusVM and WHMCS didn't just volunteer to do security audits. For all we know, localhost.re could have spent a year quietly trying to get SolusVM and WHMCS to patch their vulnerabilities.
I'm not arguing it didn't help WHMCS make their decision (we also have nothing other than assumption that it was a factor in the decision, AFAIK).
If there should be more police in my town and I go out and shoot a few people to prove my point, do you thank me? Maybe I'll watch for their patrol patterns and give that to fellow criminals too, that'd teach the police a lesson.
While you would not get any applause, if this action breaks the crime rings there that were covertly killing out of police sight 2-3 people a day then it would probably be worth it.
And about giving it to criminals, you can be sure they already knew it, that is their business, those who didnt know were the pick-pocket kids.
Like vigilantes? http://en.wikipedia.org/wiki/Vigilante
Bad analogy, that costs people their lives.
Better compare it with lack of fire exhausting equipment and you setting a few shops on fire at night
Now localhost.re gets Paid to report the bugs!
Who says that? Maybe he likes publicly disclosing more? Also, I doubt he'd give any billing info to WHMCS
Note that they probably aren't going to stop using register globals and custom SQL query handlers.
Fair Point... But he may not disclose himself to them as being from localhost.re if he reported them.
Interesting to see so many here being happy that the same people who wrote the code will now audit it.
If WHMCS has ignored reports on bad coding before, why would they change over night?
Seeing is believing and I'll wait for the result.
Nope, they said they will do at least one external audit. I do not think they will fake it, this time.
Also the rewards are "up to" $5000 per issue. And obviously they are the ones to decide what they reward the security researchers.