Internet Brands, security flaw, vBulletin, xss Hide

Chronos and I both decided after vBulletin 4 went gold, we’d disappear into the shadows to do what we do best: observe. What have we observed during our writing absence? Chaos. Confusion. Backlash. Bugs. Customer Disappointment. Frustration. Disappointment.

As an auditor, I’ve been often asked to audit programs and the scope that’s been undertaken. I’ve also sat back occasionally as part of my audit scope to do a complete quality assurance check on software that is intended to be released into production. I find bugs and send them off to QA, but it has been an indicator to me as how a project is being managed, as well as an indicator to determine its current project state. It’s shameful that vBulletin 4 was released in such a state. The application itself shows too many signs of software bugs and glitches floating around all over the place. In my opinion, I would never have approved the release of vBulletin 4.

As I sit back and tinker in a closed beta environment on my localhost server, I could not and would not approve vBulletin 4 being utilized on any of my client’s sites (or my own for that matter). There is simply far too much risk involved in utilizing that’s still quite buggy.

My frustrations with Internet Brands is ever growing. As an auditor, I would likely be writing reports like mad and ensuring senior management is held accountable. However, seeing as I’m not Internet Brands auditor, my own position is one of a customer. As a customer, I am livid, furious, and insanely upset that Internet Brands would sell me a software that is flawed far worse than Windows Vista. More to the point, I’m extremely frustrated that senior management, in particular Bob Brisco, and Joe Rosenblum, have not taken responsibility, nor attempt to signal to stakeholders that this fiasco is being addressed and rectified. Instead, they’ve done their marketing campaign and have decided to hide from the wrath of customers.

I quite understand that software bugs are a part of any development of any application. I also understand it never will be perfect, but I’ve often chimed in my reports to various software companies that bugs need to be managed and controlled properly. If they ever become a significant issue, they can and will hinder functionality. Furthermore, they will cause backlash and create trust issues that will resonate for years to come.

The point of doing bug fixing is to get rid of those bugs. It’s to ensure the software is 99.99% functional for the most common setups.

Looking at some of the bug reports inside the Project Tools, several bugs I’ve found were documented AFTER the release of vBulletin 4 Gold. Some of these bugs are clearly obvious and are simply shameful as a 14 year old would have caught them. It’s appalling.

My question to you Internet Brands: Who did the quality assurance and wrote the quality assurance plan? It is obvious that QA wasn’t performed properly. It’s clear we’re paying more for vBulletin for more bugs, and less functional software.

No tags Hide

vBulletin 4x – We Want More – ASAP!? Or do we?

Let’s take a look back and do a quick review.

First we get the release of vBulletin 4.0 Gold. This build of vB 4.0.0 is plagued with bugs and known issues, yet it’s still released. Then we get vB 4.0.0 PL1, which is a release patch to fix a newly discovered exploit. This takes us to vB 4.0.1, which is a “maintenance release” that fixed 200+ bugs.
Finally, this brings us to 4.0.2, which was supposed to have been released February 4th, 2010 (now delayed).

The mentality used by IB is amusing, but not at all surprising. Instead of focusing on releasing a solid, stable build, they are merely pumping out versions as quickly as they can, and releasing them prematurely, even when they are clearly not ready to be deployed due to known bugs.

Only now with the delay of the 4.0.2 release have they actually held off releasing it to provide a more “quality” build. Maybe they finally learned their lesson that quality > quantity? We’ll soon find out.

@IB, you disappoint me, yet again. Dare I say, we told you so?
I would highly suggest you take a page out of the old vB team and focus on building a quality product. The old Jelsoft actually valued and knew the importance of releasing a solid build instead of just releasing as many, and bug filled versions as they could.

No tags Hide