<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p><span>Vtiger Team,</span></p>
<p><span>I'm following your project all the time, but as you can see, I have not taken part in threats for many months and it's probably one of my last posts here. On the one hand, I'm very happy that Vtiger is developing so slowly, on the other hand, I know that it will also more or less affect our project.</span></p>
<p><span>From the technical perspective, there is less and less Vtiger in our fork and probably over the years, everything will be gradually disappearing from YetiForce, so there will be nothing to discuss. Certainly, what you have done from the visual perspective gives an awesome effect, so congratulations! However, everything else [especially the majority of the PHP code] is low quality and you have to do something about it. As far as I understand, most of the standards related to the code quality and its performance are of no importance to you [because you develop a product only for small companies] but you really have to do something about security! It will become even more important because from May 2018 all Europe will have a new GDPR regulation, where security is a crucial element, so low security level will expose companies that use this solution, e.g: large fines will be charged.</span></p>
<p><span>The problem with security in VtigerCRM [but also in many of its forks, e.g. VTE CRM, coreBOS, JoForce] is that this system is not well secured in any way, I mean the following actions:</span></p>
<ul>
<li><span>loading files</span></li>
<li><span>loading pictures</span></li>
<li><span>verification of privileges for actions</span></li>
<li><span>verification of privileges for records</span></li>
<li><span>data injection [XSS, SQL Injection]</span></li>
<li><span>a possibility to increase privileges</span></li>
<li><span>CRM's server suspension [does not require login]</span></li>
<li><span>etc</span></li>
</ul>
<p><span>If it were isolated cases, we wouldn't have a problem because every application contains some security vulnerabilities, however, what is in the engine of each of the above-mentioned systems tells us that none of these companies has ever undergone any professional security audit and developers' proficiency inside these companies is insufficient. I can understand it in the case of coreBOS and JoForce, because they are companies with 1-2 developers for the whole project, but as far as I remember, you have dozens of them and several thousand customers for On-Demand versions.We have been improving security in YetiForce for two years and we can see how much has already been done, but also how much still needs to be done. After each detected vulnerability we verified whether it exists in other systems and it turns out that 95% of found and fixed errors are still present in other forks.</span></p>
<p><span>Starting from mid-January, we will be publishing a case study about found errors [currently we have over 100 for Vtiger, but in coreBOS and JoForce there are many more]. In addition, all modules we tested for Vtiger have numerous security vulnerabilities and we will also describe this problem. Some errors that we found require rewriting of entire mechanisms, which sometimes takes a few days, so it would be worth for you to spend more time and effort on security in 2018 - it will pay off in the following years. With your current level of commitment in the project, it may turn out that some errors you will be fixing for months, which is why I hope that this time you will approach the problem professionally and designate 1-2 best PHP developers who will be fixing security bugs on a regular basis.</span></p>
<p><span>However, the most important thing for you should be to find a company that really specializes in security audits and perform an audit of the entire application! Without it, you will only create semblances of security, as at present. Such audits should be carried out on a regular basis, preferably before the release of each new version.</span></p>
<p><span>PS. Happy New Year!</span></p>
<div>---<br />
<p>Z poważaniem / Regards</p>
<div>
<div><strong>Błażej Pabiszczak</strong></div>
<div>M: +48.884999123<br />E: <a title="Mail do Błażej Pabiszczak" href="mailto:b.pabiszczak@yetiforce.com" rel="noreferrer">b.pabiszczak@yetiforce.com</a></div>
</div>
</div>
<p><br /></p>
<p>W dniu 2017-12-28 20:40, Satish Dvnk napisał(a):</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div dir="auto">Yes, Simone. We have pushed all the changes of mobile app /web mobile into branch 7.1 and please confirm us as we fixed most(major) issues in app/web mobile.</div>
<div class="gmail_extra"><br />
<div class="gmail_quote">On 28-Dec-2017 9:28 PM, "Simone Travaglini" <<a href="mailto:simonetravaglini@gmail.com">simonetravaglini@gmail.com</a>> wrote:<br />
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;">
<div dir="ltr">Hi satish,
<div>thanks for update. It's a good news!</div>
<div>What about mobile module? we see you are working on it, but still bugs... Do you think you will release a stable version with VtT7.1?</div>
<div> </div>
</div>
<div class="gmail_extra"><br />
<div class="gmail_quote">2017-12-28 16:31 GMT+01:00 Satish Dvnk <span><<a href="mailto:satish.dvnk@vtiger.com">satish.dvnk@vtiger.com</a>></span>:<br />
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;">
<div dir="ltr">
<div>
<div><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;">Hi All,</span></span></div>
<div><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"> </span></span></div>
<div><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;">We are happy to announce that we are going to release the Vtiger community edition version 7.1 in January. We would like to appreciate your valuable contributions and validation towards this release.</span></span></div>
<div><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"> </span></span></div>
<div><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;">Following are the expected release schedule for the V7.1.</span></span></div>
<div>
<ul>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>RCA</strong> - 1st week of Jan</span></span></li>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>GA</strong> - 4th week of Jan</span></span></li>
</ul>
<p><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"> </span></span></p>
<p><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;">FYI <strong>V7.1 Features and fixes :</strong></span></span><br /><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"></span></span></p>
</div>
</div>
<span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"></span></span>
<div class="gmail_default"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>Features :</strong></span></span></div>
<ol>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>Follow A Record</strong> (Click on <strong style="box-sizing: border-box; border-collapse: collapse; color: #000000;">Star</strong><span style="color: #000000;"> icon to follow a record. By following any record, you get updates on it as other users of your organization modify the record. these updates are notified to you via emails. Deselect the </span><strong style="box-sizing: border-box; border-collapse: collapse; color: #000000;">Star</strong><span style="color: #000000;"> icon to unfollow the record.</span>)</span></span></li>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>Duplicate Record Prevention</strong> (Prevent duplicate records in Vtiger from all sources by enabling the duplicate check)</span></span></li>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>Webform Attachments </strong>(Allow user to attach files to web forms)</span></span></li>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>Import Users Using .CSV file</strong> (Supports importing User data using .csv file)</span></span></li>
<li>Supporting<strong> Mysql V5.7</strong></li>
<li><strong>Customize modules</strong> icons</li>
</ol>
<div><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong>Other fixes :</strong></span></span></div>
<ul>
<li><a href="http://code.vtiger.com/vtiger/vtigercrm/compare/master...7.1.0"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;">Product Issues</span></span></a></li>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;">Usability Issues</span></span></li>
<li><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;">etc.</span></span></li>
</ul>
<div>
<div>
<div><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><br clear="all" /></span></span>
<div>
<div>
<div class="m_-1482578818252036903m_173952444341456969gmail_signature">
<div dir="ltr"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><strong><span style="color: #999999;"><span style="background-color: #ffffff;">regards,</span></span><br />Satish.Dvnk</strong></span></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br />______________________________<wbr />_________________<br /> <a href="http://www.vtiger.com/">http://www.vtiger.com/</a></blockquote>
</div>
<br /><br clear="all" />
<div> </div>
-- <br />
<div class="m_-1482578818252036903gmail_signature">Simone Travaglini<br />328 5499846<br />Linkedin: Simone Travaglini <br /><br /><br /><span style="color: #33cc00;">Rispetta l'ambiente: non stampare questa mail se non ti è veramente necessario!</span></div>
</div>
<br />______________________________<wbr />_________________<br /> <a href="http://www.vtiger.com/">http://www.vtiger.com/</a></blockquote>
</div>
</div>
<br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">_______________________________________________<br /> <a href="http://www.vtiger.com/">http://www.vtiger.com/</a></div>
</blockquote>
</body></html>