Improve handling of security issues
As a web-hosting provider, I would like cPanel to notify its customers when there is a security issue that requires a feature to be disabled and also fix known security issues faster, so that cPanel servers don't get hacked.
The recent security issue with Horde has been very poorly managed by cPanel, and I would like cPanel to improve the way they manage such security issues.
The current timeline for the horde security issue is
31/05/2022 (26 days ago) CVE-2022-30287 was publicly announced in a blog post by the security researcher
10/06/2022 (15 days ago ) cPanel aknoleges the security issue publicly here without informing their customers by any other means : https://support.cpanel.net/hc/en-us/articles/6483941705239-CVE-2022-30287-RCE-Vulnerability-reportedly-discovered-in-horde- 12/06/2022 (12 days ago) Horde releases Turba 4.2.28 to fix these issues
16/06/2022 (9 days ago) Plesk releases an updated version of Horde
25/06/2022 (today) cPanel has still not informed their customers by e-mail or within the WHM interface that they need to disable horde. cPanel also hasn't provided an ETA to updating horde.
and has not released a fix for this issue. cPanel's support say they do not have access to an ETA.
What should have happened :
cPanel should have detected the security issue earlier and determined the current workaround (disable horde) within 48 hours.
cPanel should have informed their customers that they need to disable horde within a few days.
cPanel should have released a fixed version with 5 days at least to their edge branch
We would like cPanel to add a message to WHM when logging in as root user when a security issue requires their intervention, we would also like cPanel to create a security mailing list to which sysadmins can subscribe to be notified about security issues.
We would also like cPanel to improve the speed at which cPanel resolves security issues and also provide ETAs for releasing security fixes when they are publicly known.