As I am sure you know, we have been on top of security issues since Clipper started, and will be for some time despite it being effectively finished now.
Possibly the most serious issue was the one where absolutely anyone could log in as a manager. Reported to Clipper and MODx, with dialogue between Clipper and MODx, and rapidly fixed in both systems. I have sent security reports into MODx both during the lifetime of Clipper and before, and have appreciated it when MODx has done likewise to Clipper.
Implementing fixes (and perhaps more significant, investigating issues) has often took significant time, often at times when I have been busy anyway. The midnight and post-midnight oil has been well and truly burned.
...but when you and other ClipperCMS representatives post that "These sort of 'security disclosures' are quite irritating", calling them nothing but FUD...
Perhaps I have got frustrated with invalid reports occupying time, but I am not the only one who has suffered this. For example "FUD is all I can see from this user's report WRT Revo..." was once said to me by
one of your colleagues in the MODx team. This happens, because some reports are genuine, but many are not - and it occupies time, something which is always in short supply.
-- Tim.
[ed. note: TimGS last edited this post 7 years, 5 months ago.]