I want to ask for your response to the fact that you didnt inform all your users about the recent serious security breach in Jomsocial

Hi, Colin.

But we did, also we provided a patch for it: www.jomsocial.com/blog/hot-fix-3-1-0-4
In JomSocial dashboard in backend is implemented a news feed (see att.).
So every user was informed there about it and provided link to patch.

well I can tell you for sure you didnt inform me at my registered email address
that email address goes to my own mail server and I checked the logs. No email has been received.

yes I saw the fix yesterday, after I found the hack and realised the exploit was via jomsocial

Hi, Colin.

I didn't say anything that we "informed you on your registered email address".
I just show you the way we inform our users about changes and security releases.

We can't be responsible that you "saw the fix yesterday". The same you could say if you open an email sent a year ago - "I saw it yesterday".

If feed on dashboard is not enough use RSS reader or services like this one: blogtrottr.com/

Michal wrote: Hi, Colin.
I didn't say anything that we "informed you on your registered email address".

nope, I agree - you didnt say that.
I was telling you that you specifically had not done it. Whereas I think you absolutely ought to have done.

Anyway, if we look over here:
http://www.jomsocial.com/blog/hot-fix-3-1-0-4
your colleague meravk is replying to cameron (who btw, also seems to feel that he wasnt well informed) and says this:

we actually did send an email blast

So based on that, it seems that Jomsocial did send an 'email blast'
But from what you say here I cant decide if you are acknowledging you did, or denying you didnt.

In any case, based on my own evidence: You didnt send an email to ME.

You are correct that some users might not have seen an email - in my case its just not possible that I would have missed it. Its a question of 'horses for courses' as they say.

I dont expect you to be responsible that I only saw the fix yesterday.

But what I rightfully expect when you get a serious security hole that was so easily exploitable: Is that you make every possible effort via every channel to keep your users informed.

Personally in this case I dont think you did that.
rss feed to backend is only visible under some circumstances.
There is a tiny mention on twitter which doesnt convey the importance.

In my opinion an email to the registered address was an absolute must.

Now as a company you can take the standpoint - "we did our bit. meh... if they didnt see the backend message - its their problem"
Or you can consider: "we had a bad exploit and some people got hacked because of it - could we have done more?"

So anyway thats just my opinion, you can do what you like with it.
I havent closed the thread but I have nothing more to say on the matter.

Colin

Hi, Colin.

Thank you for your opinion.
We'll keep it in mind to improve in future.