That must be what he was on about in the first place.

If rep meant anything it might actually be important.

That's good to know. So would you kindly also let us know when they have been fixed? :)

The poor coder on the job fell asleep after a week of non-stop working on it...

According to email converstation with GOG, the vulnerabilities are still in the process of being fixed. (no ETA given by GOG). However, if the vulnerabilities are to be fixed properly (and not just mitigated), I guess that fundamental changes/improvements have to be made to the forum code's - let's call it - suboptimal design. Based on their responses so far, my impression is there is no dedicated IT security team, so I think it's good if they take their time to fix the bugs (and probably others based on the same design flaws along the way) in a proper way. I am waiting for a status update of theirs. In case GOG doesn't have any plans to publish details about the vulnerabilities, I might do so myself, once they all have been fixed.

Well, who needs an ETA when you got an '[a]t the moment we are working on the fix' update 15 days ago? ;)

Why am I not surprised by any of this?

I wouldn't build my hopes up – they rarely fix things properly. At least not without breaking something else in the process.

You're not the only one who's waiting... Just curious, but for how long would you consider it acceptable for these issues to remain unfixed?

Oh, and thanks a lot for being so considerate as to contact GOG about the vulnerabilities, offer them your help as well as not posting about the specifics in the forum. :)

Evidently, the more critical issues should be fixed with a higher priority which - as far as I can tell - they have been doing. I am unable to tell how well these vulnerabilities are fixed (or whether they have been fixed at all) since I did neither test nor review the implemented fixes myself (all vulnerabilities have been identified based on educated guesses/black box testing - I didn't ever see source code).

Fundamental (design) vulnerabilities need more careful planning and I think some of them can only be fixed with a decent understanding about how privilege models and basic attacks work. I don't want to sound as if critical security vulnerabilities have been identified when I gave it a quick spin (and it really wasn't more than that) and the problem is that it is difficult to assess risk in this context. I did not ask GOG for permission to assess their site before haviing reported the issues and I just don't want to be put in charge in case something breaks. But given the nature of the vulnerabilities and their underlying design, it is very likely that there's more (with potentially more critical impact). Hence I recommended GOG by mail to engaging pentesters regularly or at least taking part in bug bounty programs.

I'm also hoping the guys at GOG do understand that it's important for them to having to improve their security and their ways in handling security reports on a professional level in general. Security by obscurity just doesn't work and I think the least thing you could do as a company is being honestly grateful to researchers dedicating their spare time to reporting vulnerabilities for free. Of course, closing one's eyes and hoping for the best is another option.

Haven't read more bullshit this week. Thanks for giving me the laughs.

Hate to say it but it really did take 4 months to get that webcomic graphic novel.

I read a couple of the Pixie Trix webcomics (I'm not going to link to them as they may be considered NSFW by some.) and it usually takes them 3-4 weeks to clear customs from Canada to the US.

They even say so on their website:

http://pixietrixcomixstore.bigcartel.com/faq

Lovely. I just discovered an issue as well.

And Mr.Grucha has privacy in place.

And contacting Blues directly are a dead end.

Going the support ticket route and hope someone pays attention.

We really need a better method to report security problems here.

deleted