Cap 21, 00 / Dec 22, 16 20:22 UTC

Another way to report bugs  

Is it safe to report the website-forums bugs via an an open topic ? An attacker might find bugs infos usefull for attacking and gaining access to the site (and even the server ) by using the bug infos from that topic I believe it's safer to use a form or an email for that

Mod Edit done.

MOD EDIT: This post has been moved from [News and Announcements / Bug Reports - Website and Forum/] to [News and Announcements / Feedback] at the members request - Jason Rainbow Dec 22 @ 21:50

  Last edited by:  Jason Rainbow (Global Admin, Global Mod, Asgardian)  on Cap 21, 00 / Dec 22, 16 21:52 UTC, edited 2 times in total.
Reason: Done - Jewell Ledoux 8:31pm 12/22/2016

Cap 21, 00 / Dec 22, 16 20:45 UTC

An alternative would be to limit the visibility:

  • Only logged in users have access to the bug forum

  • Only a specific user group can see all contents of the bug forums.

  • In addition to that only the creator receives the right to see own filed bugs when logged in.

Cap 21, 00 / Dec 22, 16 21:43 UTC

logged in users have access to write in that topic but everyone has access to view it so if i post a critical bug in that forum everyone on the internet has access to view it but only logged in users have access to write a post

Cap 21, 00 / Dec 22, 16 22:02 UTC

ps. thanks for moving the post to the proper section (by mistake i posted it into the bug topic)

  Last edited by:  Christos Faroupos (Asgardian, Global Mod, NCM)  on Cap 21, 00 / Dec 22, 16 22:06 UTC, edited 1 time in total.

Cap 23, 00 / Dec 24, 16 07:25 UTC

Good call Chris3. Limited visibility should only be for those who will patch bugs/vulnerabilities or who those can be trusted. The last thing we want around here are SQL injections, DDOS attacks, or any other crap that compromises the integrity of this web site. Think about this, some new Asgardian joins this site looks for info. Runs across the bug forum, uses that information to take us down or holds the site hostage for bitcoins. Used powerful malware to compromise this web site. Not too Kool!!

Cap 23, 00 / Dec 24, 16 11:31 UTC

Interesting question. To be honest it mostly depends upon the bug criticity. Usually, when I, (as a end-user) find out about a bug which may be really critical, I don't use the traditional ways (like the public forum) to report it. I use direct PM with an administrator or someone trustworthy and it's handled secretly. I find this approach more secure indeed.

Using the forum, maybe an option like a flag "critical/sensitive" could be applied by the main author or by administrators/mods which would limit read access to the author and staff members.

I don't know if we have -yet- a way to know if a forum member is an Asgardian (registered) or not. But if so then the topics in the "Bug reports" section should only be visible by the author and registered members and staff. (But a non-registered user should still be able to fill in a new bug and see its evolution, meaning having read/write access to the thread he has created)

The "critical/sensitive" flag may come handy at some point when our security is at risk (XSS, SQL injection...).

Cap 23, 00 / Dec 24, 16 23:32 UTC

Even if someone is a register user (asgardian) do we really now who is behind the account? the communications are behind an ip not a visual one thats why i am so worried about the bugs it's better for the info's are hide from all of us we don't know what effect has a combination use of the bugs that have been reported there are many ways of hacking only imagination limits them (a hacking that is discovered is not a successful hacking) and i am not talking about the hackers of the old ages (now they are calling them white hat) i am talking about the bad guys who will steal data for other reasons it's better to be prepeard form now and not after of an incident that it might damage our nation before even it's creation

Cap 23, 00 / Dec 24, 16 23:36 UTC

it's better to have a second way of authentication for start (in order to be more secure from stolen passwords) and some other ideas which i prefer not to say them in public