Sunday 23 March 2014

Survey results: Adobe's approach to client communications regarding security issues

G'day:
Well today's last minute push ("3") to get the survey over 50 results has worked. I've got 5679 (the number changed cos I started this on Fri, but finished it on Sun; the other responses came in during that period) now. So here're the results.

Just to remind you, the topic was:
This is just a quick survey to gauge how effective Adobe have been at communicating to their clients regarding security issues that have arisen in ColdFusion

Q1: Have you supplied Adobe with legitimate and currently-accurate contact details when downloading or purchasing ColdFusion?


This is the proportion of people who are happy to provide completely legit email details when downloading ColdFusion. They could just provide a junk address, but they don't. So they're obviously OK with Adobe contacting them.


Almost everyone has given Adobe their contact details. I certainly have. And this is not some generic Adobe contact page, it's the one when we download ColdFusion. So definitely appropriate for contact regarding CF issues. I have heard many people get follow-up calls when they download CF. I always get an email. Every single time I download CF with the same credentials. So Adobe are not shy to send marketing email.

Q2: Do you hold an account with Adobe for any other reason, for which you have supplied currently-accurate contact details?


This is just to check whether a lot of people might have Adobe logins from something else. In hindsight this question should have come before the first one. Oh well.


Predictable.

Well... if the titles weren't truncated.  They are:
  • I have an account which has currently-accurate contact details
  • I have an account but the contact details are not accurate
  • I do not have an account with Adobe

Q3: Were you notified when Adobe had everyone's account details stolen from them, and did they advise you to change your password? 


This is a test whether Adobe (as opposed to specifically the ColdFusion Team) are prepared to email everyone when there's a problem...



I actually find this to be quite a low number! But still: it's a lot higher than the next number. But before we move onto that, we had some comments:

Not for corporate account but general Adobe one

I don't think so, but I don't remember for sure.

I received about 70(!) notices of password resets on a slew of test accounts I had created over the years.

I was notified three times, over the space of a month or so (all for the same account)
70. Nice. Sorry to hear that. The last comment is my one... I had my bloody password - for the same account - reset three times by Adobe. Interestingly... they let me set it back to the same password as before, each time.

Q4: Have you ever been directly notified by Adobe regarding security issues in ColdFusion, be they patches or simply notifications of exploits?




Lucky people who got notified! I never have been. Nor had almost 89% of the rest of the respondents. Also bear in mind the sort of person reading my blog are fairly "active" in their ColdFusion pursuits, not people locked away in some enterprise corporate silo of ignorance. So if there was contact to be received, they'd be receiving it.

This is very very very poor on the part of the Adobe ColdFusion Team.

Feedback:

Never received any email regarding ColdFusion.

Once I signed up for the mailing list.

Not that I recall.

Not that I can recall.

They never release anything except to the person who purchased the product. Often times I only realize it by the little explosion icon saying there is an update in cfadmin.

Yes, when signed up to the Adobe alert notification at http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert
Right... I'm signing up for that. I did not know about it.

Outside of the account breach I don't believe I've ever been notified. I *DO* however always get a followup email after I have downloaded ColdFusion asking me about my experience / sales pitch. So they have my address, and know I'm using ColdFusion :)
Indeed.

How about sending materials out to all the CFUG's? User groups don't exist solely to echo Adobe marketing you know. They'd be glad to help out.
This is a bloody good idea!

Not as far as I can recall.


Q5: What is the primary way you find out about security issues in ColdFusion?


OK, so how do we find out:

That's:
  • Adobe Security Bulletins (notifications delivered to you)
  • Adobe ColdFusion Blog
  • Adobe ColdFusion Forums
  • Adobe ColdFusion Team Twitter statuses (@ColdFusion)
  • From the ColdFusion community (blogs, Twitter traffic, etc)
  • Other (please specify)

No surprises. Well I guess only two people picked "Adobe ColdFusion Team Twitter statuses (@ColdFusion)", which suggests that's not a great place to find out about this stuff. Which is telling. You'd think that'd be the first place to hear about it from!

The responses for "Other" were:

The Adobe ColdFusion Facebook page. I've signed up for security bulletins now, thanks to this survey, I assume now I am going to get bulletins regarding all their products rather than just ColdFusion :(

It's random.

ColdFusion updated.

coldfusionbloggers.org

I actually use all of these because... I had signed up for the security bulletin emails but I never would receive any of them. I finally had to sign up again under a different email address to begin receiving the emails. To this day I never found out what the issue was with the original email I used. Regardless I still check all of these streams because I can't rely on Adobe to let me know.
This is a good idea. This does not absolve the ColdFusion Team from needing to shoulder some responsibility here!

Mainly community and news sites. Often when looking for bug fixes that might be in hotpatches.

Depends. Adobe Security Notifications most of the time, HackMyCF email notifications are most reliable though. Even remember when one patch seemed to be announced on Facebook first.
Is the HackMyCF emails something one only gets as a Foundeo client, or as a community service they do? I was unaware of it.

Multiple ways. Again from the Adobe notification from above and twitter. Honestly, the Adobe ColdFusion Blog does not communicate that well. Usually any notification there is cryptic and has to be corrected via comments on the blog post
This is my experience too. I think they need to stop the techo guys from delivering the message. They can define what the message is, but they should get someone a bit better at interpersonal communications to articulate the message.

Q6: Reaction to comment

This was asking for a reaction:
In regards to this article - http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ - which details hackers exploiting an insecure and unpatched ColdFusion server to steal data, how reasonable do you think this conclusion is: "the story is not about ColdFusion fails at all, but about IT failing to keep servers up to date to deal with already addressed security holes".
Here people diverged my expectations:


  • Very reasonable
  • Somewhat reasonable
  • Neither reasonable or unreasonable
  • Somewhat unreasonable
  • Very unreasonable
My reaction here is "somewhat unreasonable". I discussed this separately: "It is Adobe's fault, OK?". I guess it's positive for Adobe that people blame them less for their security cock-ups than the victims of the security cock-ups. But, yes, there's no real excuse if an issue has been identified and fixed. Although I think we definitely see a failure to communicate this information going on. Would an admin who knows about issues like that not patch a server?

Comments:
Maybe IT knew about the exploits but weren't given the time of day by their management to make the fixes. I think it's as likely that bad management is to blame as IT's lack of knowledge. I think that patches are slow to be released by Adobe too, but that's not exclusive to Adobe. I don't feel it was CF's fault.

One of the servers in that article is one that I had to fix after it was exploited. The server wasn't fully patched and it was assumed the hosting company was doing updates.
Were they supposed to be doing the updates, or was this a breakdown in communications? For co-hosted servers I'd expect the hosting company to be doing it. But for dedicated servers, I'd expect the default to be that it's up to the client to deal with it, even if "dealing with it" is "paying the hosting company to look after it". If one is in this situation, I'd be confirming with the hosting company how they go about this sort of thing though.

Every system has security issues. It is up to us as a user or administrator to patch the system. The vendor has done its job by providing a patch and announcing it. However in this particular case, it would be better if ColdFusion has an auto update like in Windows or OS X. And, make sure every current or potential customers receive the information.

The servers should be able to check for updates and notify you through its own cfmail.

The truth is that admins did not patch their servers, but the story came across as blaming the use of ColdFusion, patched or not. I see very few stories about data breaches that blame the admins. Generally whatever software is being used takes the blame. This is not just for ColdFusion, it's just that CF doesn't seem to get any positive press, and Adobe sits quietly while their product takes a beating.
In Adobe's defence, I dunno how good it would look if Adobe themselves had declared "well it's there bloody fault for not patching! However it would not be too far-fetched of them to contact the companies whose exploitation stories are made public, go over their server security with them and get them back on track, by way of some positive PR, and looking like they give a shit. They could put some positive spin on this. But they don't seem to bother.

I would say that ultimately, IT administrators are at fault if their servers aren't fully patched. However, given how painful, complicated, and frought with opportunities for screwing up a ColdFusion installation were with the way updates were installed on ColdFusion 9 and below, I give admins a little bit of a break. Just think: how many blog articles has Charlie Aerhart written to explain how to install the various updates and hotfixes for ColdFusion 9?
Very true. One thing Adobe could consider is to back-port ColdFusion 10's auto-updater to ColdFusion 9 too. They seem to play down the fact that ColdFusion 9 is still supposedly a supported platform.

I'm still on cf9 in production, so patching isn't easy. Generally it's a complex manual process, and the directions need some careful consideration to follow. Making a mistake can take a server down. And as this survey points out, notification doesn't arrive in my inbox, I need to stumble upon it somehow. Compare that with Centos, for instance, a free open source OS. I get email notifications the moment patches are released and an update is just a few command line keystrokes away. No complex instructions, manual downloads, etc to put me off doing it until I have my wits about me in a calm, distraction free moment (hour or two ...) I'm also reminded of the lockdown guide. I'm grateful the Pete Freitag wrote it and put it out there for free, but one gets the impression that he withholds enough information, and / or glosses over it, to make it at least somewhat likely that he's hired as a consultant. This should be coming from Adobe, not a private consultant with an interest in obtaining clients who apparently develops it in his spare time. And it should come with the documentation when the product is released, not a year afterward, which has been the case with the lockdown guide. To be fair to Pete, I don't think he's being paid to produce this, he likely can't afford to make it comprehensive. And yet, it's a key document underpinning CF security. Without it, securing a cf server would be much more difficult, utterly susceptible to misinformation, as amateur opinions traded and debated online would be the only source of information. But all that said, Adobe should be responsible for developing and providing this information! It should not be left to a single person with a family to support to do it in his spare time when he can get to it. I think this is a root of ACF's security problem.
This is a great contrast. And patching an OS must be a more complex task to patching an app server, wouldn't it?

The public perception has obviously been affected by the high profile articles on this topic. It seemed to me , in most cases, a good majority were versions that had not been upgrade or patched. There's only so much hand holding a company can do on that end of things.

I would have to lay partial blame on the company's IT department because the resources and tools are out there to guide you through the process of properly locking down a production ColdFusion server. That being said, I would lay equal, if not more, blame on Adobe for not communicating the importance of locking down a production server and/or making the process of locking down a production ColdFusion server easier. ColdFusion has never been an easy server to configure and manage, perhaps it's all the non Adobe moving parts (eg. various versions of IIS, apache, etc), at least that's what Adobe will tell you, but it seems like there's real room for improvement.

It is reasonable, however, all it takes is 1 unpatched server to bring down a company's product. This has happened in other languages too, but honestly, no one is running those types of applications in those languages so the global impact is minimal.

It is a failure of CF in being as open by default as it is. However, it is also largely a failure in that firms don't want to pay the high upgrade fees, so will often use older versions for a long time. This cost also leads to there being just one production server, no good testing environment where updates can be tested before deployment to prod. Also, I believe too often admins know very little about how to work with CF and will often just leave CF up and running with no action. Finally, too often the CF Dev is the admin as well, so updating the server may be at the back of their mind, but getting their regular day to day work done first takes priority. After writing all of that, I think it it actually maybe more of an Adobe Fail than a CF fail - the marginalized nature of the language just makes IT support for it more costly and difficult.
I've nothing to add, but it's a great comment.

CF is a enterprise class product it should be secured and as bulletproof as possible. You wouldn't buy a Ferrari and anticipate needing to upgrade it's door locks or blame your mechanic for not knowing the door lock should be replaced.

That statement is not a complete picture and ignores the fact that there was indeed a significant security hole in ColdFusion.

The reality of the matter is that there are way TOO MANY unsecure ColdFusion servers out there. All one has to do is read the list of servers attacked by Laurie Love just in the New Jersey indictment, http://www.justice.gov/usao/nj/Press/files/Love,%20Lauri%20Indictment%20News%20Release.html Adobe does themselves no favor in that ColdFusion is not installed by default with secure settings. Microsoft learned this lesson with IIS, Adobe hasn't learned this. Also "Secure Profile" isn't all that secure. All the recommendations in the lockdown guides need to be integrated directly into the installer, not a separate guide that an admin might see. If they can't, the links to the guides need to be lit up in bright neon saying your install is not secure unless you do this. The other problem is patching ColdFusion before 10 (and still in 10, all the various instructions of do you need to re-run the connector or not) isn't easy. They expect people to upgrade to get bug fixes that have been broken forever (wait "works as designed", "deferred/not enough time", or "backwards compatibility"). And when they DO get a bug fix out how many times has it had to be re-released due to shit QA or it breaks something else unrelated (spreadsheet functionality) or introduces a vulnerability. This is what people are PAYING for and they wonder why it is "dying". Perception is reality, if a CIO has it in his head that ColdFusion in their environment is a huge risk, they are going to get it out of there. Without a quality message to the opposite from Adobe, it will persist. As seen with eLightBulbs.com, people don't upgrade if it is working for them and there are no compelling business reason to upgrade, regardless of the "new shiny" or latest (3 year old) mobile/social trend Adobe has targeted for "Enterprise Customers".
Very good point / idea. The lockdown guide should not be random ad hoc guidance aimed at the administrator, but taken on board by Adobe as how ColdFusion installs out of the box.

It's about CF fails to a certain extent, too. Unfortunately Adobe makes it impossible for sysadmins to keep on track with updates. Even in CF 10 where they have introduced some level to automated system, some patches are a pain in the neck to install. One wonders why Railo can do incredibly simple "2 mins" patching (or even fully automated) and Adobe can't.

Every time you have to patch an application server, you have to re-test everything. Some of ColdFusion's security patches have broken previously working code. The login / authentication security hole was actually INTRODUCED BY ADOBE as a hotfix for CF8 - and then left open in CF9 and CF10!
This is a ludicrous state of affairs.

The admins are at fault, sure. But it's Adobe's fault the situation was there in the first place. It's because of the ColdFusion security hole that this became "a thing", not because the admins didn't patch something.
The last one is my observation. I've already commented on this topic enough, so I'll leave the other comments stand on their own merit.

Q7: what do you think?


In your opinion should Adobe actively attempt to contact their client-base when (any?/significant?) security breaches in ColdFusion are identified, or is it the responsibility of the ColdFusion system administrators to ensure they are aware of and act upon security issues that might arise (and/or add any other comments you like; this is the last question, so have your say).

And you thought:
yes absolutely

It would make everyone's life easier if Adobe made it more obvious in My Adobe area how to register for security advise. It's a bit buried away in it's current form.

If there is no communication from Adobe, sys admins will not be urged to patch servers immediately. In a perfect world, servers/software will be up to date, but this doesn't happen. If Adobe doesn't inform their clients about security related issues with current versions, nobody will put in their time to investigate IF something is going on security wise with their CF installs. Pro active information from Adobe is very needed and the current way of handling these issues is a big show stopper for me to continue to work with Adobe coldfusion. I switched over to Railo and sticking with them.

Both... I believe Adobe should communicate better and more, but it's also the administrators responsibility to keep their servers up to date. It shocked me several times already when I'm consulting at clients and figure out the server administrators don't know where to find the information. They should look harder and at the same time Adobe should make it easier to find it.

They should be issuing notices, but it is also my job to make sure all our servers are patched.

I think one should opt out about these notifications.

Yes, they should make it one of their primary responsibilities. It's certainly not difficult to send out e-mails to their customers or even take the time to call their contacts directly. Why not put them in contact with their vendors for hardening their servers?

They should attempt to contact their client-base for any security breaches. They should do this via email, blogs, twitter or any other means of contact they have. That said, it's still the responsibility of the ColdFusion system administrators to ensure they're aware of any issues.

The only time Adobe has contacted me after downloading a product is to attempt to sell me more products. I suggest they implement something like their Adobe Cloud application for CF Developers and Network Administrators that proactively checks for updates and announcements.

I think Adobe definitely needs to be better at providing information about security patches. In the past I signed up for their security patch notification list, but I never saw any patch announcements. That said, knowing that Adobe does not announce these, server admins should be watching other sources to find vulnerabilities. There are a lot of 3rd party security notification services that would keep you informed. Also, CF 10 will tell you when patches are available (in CF Admin), so if you're lucky enough to have CF 10, you just need to pay attention when you go into the CF Admin.

There should be an option in your adobe profile to receive communication regarding patches and security issues that is enabled by default, but can be disabled.

Of course, Adobe should actively attempt to reach out their customers. On the other end, administrators are responsible to patch their system. Perhaps, both parties need to improve their communication, so they can act in timely manner.

I think Adobe should generally be more organised. Their bulletins are all over the place and are even sometime updated days after being initially published. There's not one master source of information. Sometime I hear about it in their blog, sometime not. The auto updater is a step forward but for Cf 9 it's not an option. The fact that things like unofficial updater 2 even exist should have them in shame.

Adobe should make every effort to contact its customers when there's a known security issue.

Adobe should proactively attempt to contact anyone that has ever dl'd CF to make them aware of patches when released, whether the patches are security related or not. CF10 makes life easier, but I still need to log in to my CF10 server to find out if patches are available - that reminds me, gonna do that now.

It should be both.

Yes, Adobe should contact their client base when security breaches in ColdFusion are identified

Both. Adobe should push notifications to all CF system administrators. At the same time, those system admins should be keeping up with what's going on in their community.

I don't belive Microsoft contacts their client-base every time there is a security patch in Windows or Office products. They just push out the fixes on patch Tuesday. When there is a dangerous zero-day security issue, they may release a patch on a non-scheduled day, but I don't thing they actually notify clients - usually such issues get a fair amount of media attention which gets the word out. With the updater built into CF10/11, putting out security fixes becomes easier - but admins still need to stay on top of their servers and install the updates. Security issues still need to be communicated to the customers so they know immediate action is necessary. So many organizations are still running on ColdFusion 9, so Adobe still needs to contact clients directly when security issues are uncovered and fixed. Those customers unwilling to upgrade to currently supported versions of ColdFusion (i.e. version 8 or below, and for whatever reasons) really have no one to blame but themselves if they fall prey to a security breach.

Adobe notifying their client base would be a big plus. Unfortunately, Adobe has never really been that kind of company. Any decent admin will have other sources of security/patch information and stay well informed.

Absolutely! I pay for licenses and support. If Centos can do this, they can. And as I said, they should also be responsible for developing, testing and publishing the lockdown guide, and it should come out as or before a server version is released!

Yes, it's their language and their profit margins that are on the line, as well as our necks!

I think System Administrator should be aware of all the security issues and if any patches are released it should be acted immediately in test server and in production

It might help them to keep some of their remaining customers. The whole CF10 debacle (like patches that destroy your scheduled tasks setting) and Adobe not being able to secure even their server (well, they're only a company that DEVELOPS AND SELLS server software and wants to advise their customers on how to secure their servers). were the last straw (after other insults like making so many features unusable in the Standard edition for the license to become a waste of money) and we migrated our company to Railo.

Yes, Adobe should notify the client base when security issues occur, and yet it is the responsibility of the system admins and developers to make sure they are on top of the issue, and not just depend on vendors for notification. The current hole is the communication is not just that the security issues exist, but the best way to fix them when they occur.

Primary it is the CF SA's responsibility. BUT in case of major threat, a direct contact from Adobe wouldn't hurt.

Sys admins.

It should be the SA's responsibility to provide proper contact information to Adobe and maintain it's currency, and Adobe should be responsible to provide that information to those individuals. Adobe should also make it easy to find news about recent issues.

Any help a vendor can provide makes them a more valuable vendor to keep in the future.

There is a grey area here for me on this question. I believe, since the the license information for the CF purchase is tied to an Adobe account, that efforts could easily be made to notify people in a more timely fashion for zero hour exploits. The other side to this is in certain companies, and organizations, the person that needs that notification would not be the email associated with the purchase. You then end up in a situation where some administrative assistant or purchasing agent is receiving the emails. I suppose you could tail this argument out of control and assess them marking it as spam/junk, clicking a link to not receive updates anymore, etc.

Yes, Adobe should actively attempt to contact their clients if they are aware of a security hole.

In my opinion ... Adobe should halt CF 11, make sure that the update process works seamlessly, configure the install of CF on all platforms so that it is hardened by default, and get the community and white hat hackers to pound it until people are as reasonably confident as possible that it as secure as possible. You know, bug bounties and all that. Of course new vulnerabilities might become known in the future, but that is what the update process is for. Once CF 11 is 'the most secure version of ColdFusion ever' then Adobe should release it and reach out to anyone who has purchased ColdFusion in the past as well as post in their blogs on their website and in their marketing to get people to upgrade. During the install process the user should be prompted to enter their email address to be notified of updates and security alerts. In the admin interface the user should likewise be able to subscribe to an update/security alert. Ditto on the Adobe website under your account. Adobe should hire and make known the name of the CF security officer responsible within the organization whose job it is to review incoming reports, bugs, news, follow the latest in web attack trends, etc who will be responsbile to make sure that security issues get a high profile within Adobe and that those are communicated to people who sign up for security notices. The person should have a blog and be approachable so that users with security questions can ask advice and get referrals. Through these kinds of steps Adobe can get in front of and put to rest this issue, which has the potential to continue to harm the product and its users. The old saying 'justice must not only be done, but be seen to be done' can be rephrased in this case as 'ColdFusion must not only be as secure as possible, but we must show the world that we will do whatever it takes to make sure it stays that way'. Good survey!
This is a great comment. I like the idea of Adobe actually "'fessing up" and proactively taking some responsibility for all this. The idea of making an active - marketed - point of going to extra lengths to harden the product is good PR in my opinion (not that I know much about PR!)

Yes, Adobe should actively attempt to contact their client-base when any security breaches in ColdFusion are identified.

When significant ColdFusion security breaches occur, it would be nice to receive alerts from Adobe, considering they already received our contact information when we registered with them. If nothing else, it would be nice to have RSS feeds for each product's security events. I find it kind of obnoxious that in order to receive security updates from Adobe (through email), I have to sign up to receive notices about ALL products. If I'm only interested in CF security bulletins, the community should have the option to only receive those updates.

If you're a registered user of ColdFusion, you should be actively contacted by Adobe when security breaches are identified. Since signing up for Security Bulletins and subscribing to the Adobe Product Security Incident Response Team (PSIRT) Blog, I will say that I'm happy with the level of communications regarding security issues in ColdFusion.

Yes, definitely

Yes, they should. I don't recall getting much information from them even though we have Gold support through them.

Adobe needs to take responsibility for the product that they are selling. If a LAMP site gets hacked, there is less 'salt in the wound' since the stack itself costs nothing. But justifying paying 7k+ one would expect a significantly higher level of security and some accountability in the event of a hack.

Both, but Adobe should be informing customers.

I think they both have the responsibility. As much grounds should be covered when security issues arise. Being 100% responsible for proactive actions should be the goal. Adobe needs to work on their communication skills, especially the upper management responsible for overseeing ColdFusion. And System administrators can't just sit back and assume all is right in the world. Not as long as we constantly have criminals looking for ways to steal data.

Admins are responsible. Security issues hit back to Adobe and the CFML community though. So better communication might pay off in the end.

It would be nice for Adobe to be more pro-active at pushing out security hotfix updates.

Both are responsible Adobe should contact the user base and make them aware. But any responsible Admin should be actively following the news etc for all the software installed on their server. --- Coldfusion is insecure by default. After installing it, admins are expected to make it secure. This is completely the opposite to what it should be.

Both. Adobe should have a plan and methods (email, social etc) to send out notifications, but the Sys Admins should still be on the ball.

Yes of course.

Adobe should actively attempt to contact their client-base. But even if they do so, this doesn't take the resonsibility from administrators to keep their systems up-to-date. Breaking into a CF Server through an openly available unsecured CFIDE dir isn't a security breach, IMHO. It's more like inviting trouble.

It should be the responsibility of both. Adobe should however make it as easy as possible to find out or stay updated. There should be no reason to not know. Additionally were all lazy by nature so making it easy is the most likely way to avoid future breeches.

Adobe needs to be much more active in communicating security issues, and in pushing those notifications to interested devs/admins. If they are not going to use our contact information, they should offer some sort of push-based mailing list we can register for through which they can deliver notifications directly to us.

Yes. The always seem to follow up when ever I download a copy of ColdFusion, it should become an automatic opt-in for security notices. For as big as Adobe is, you'd think they'd have a decent communication/pr groups but seems like those resources are not given to the ColdFusion team. Then again Adobe as a whole doesn't communicate well regarding security.

I'm 99% certain of signed up for Adobes security notices in the past but i honestly can't remember ever getting an email. I just signed up again. http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert

Both! Being/staying secure should never be optional knowledge. One or both sides would be pretty ignorant otherwise. People pay good money to have a secure (or as secure as possible) product produced and maintained by Adobe/ACF Team. Without a doubt, whatever contact info is stamped on the account referenced to said server license(s), Adobe should indefinitely contact that client regarding vital info and/or steps to prevent and lock down any potential issues; not just publicly on a website. This alone is a priceless value that renders Adobe more valuable to the client in my opinion. On the flip side, whoever is maintaining said server(s) should damn well be on their game in regards to keeping the environment patched and secure. Company protocols and the lot regarding what can be updated/upgraded else risk compat issues etc. can go to hell in this instance. If your CF server is out of date with patching and general lock down concepts, you need to get it patched. Period. If you host valuable/sensitive information then you should be taking this stuff serious. Period. This mindset shouldn't just apply for CF either! I'll note however that I do not expect every sysadmin or whoever maintains a given CF server to be up to date from the usual go-to internet sources for CF info like Twitter and CF Community Blogs (though I'd highly recommend it!). There are a solid number of 9-5ers who do what they do and leave it at work. Which is why the process should still circle back to it being on Adobe to at least _attempt_ to make more "personal" contact with their clients on updates/issues. Cheers!

I think it is a duel responsibility. As someone who recently had a coldfusion server compromised I squarely place the blame on myself for not keeping Coldfusion updated with the most recent patch. I do however think that Adobe has an obligation to notify customers. We are not talking about something here that is open source. The financial investment that is made when choosing Coldfusion should include a certain level of support.

Adobe has the email address of everyone who downloads cf and has purchased a license so I find it hard to think of a reason that adobe can't send a simple email out when a security risk.is identified. After all they have no problem sending emails to promote buying the latest adobe product.

I think it's their "moral duty" to expend whatever effort is required to make sure word about exploits and vulnerabilities gets out to as many people as possible. This requires multiple channels: social media, blog postss, direct emails and for those customers with Gold Support contracts I think that followup phone calls should be considered.

There should be a way to subscribe to bulletins posted, with an obvious way to sign up.

Yes!

Adobe needs to do a far better job at communicating important server updates.

Perhaps not for every single exploit, especially since there is an option to sign up now. However, given the severity and level of exploitation of some of the vulns released last year I would have actively sent out notification if I were them. That being said, I do not personally own any CF server licenses so I cannot confirm whether or not they contacted license holders.

Developers are not in most cases the system administrators. I have been suggesting since the Allaire days that you let people have a place to plug system administrators emails into the server. Maybe even prompt for them to be filled out the first few times you log in. Do not send any marketing whatsoever to these people, just emails notifying them of the need for updates along with clear instructions. Clear enough that someone who knows nothing about ColdFusion could follow. Maybe even grab their cell numbers and send them a text message. Lots of times these same people are constantly lobbying management to replace CF with ASP.Net, don't give them more ammunition. They're not going to say they failed to patch the server in a timely manner - they will blame ColdFusion!!!

Contact people. Make every attempt. Act like you care.

Yes. As a commercial product that we pay big bucks for, I would expect them to email and/or phone us to notify of updates and security issues. But they don't (at least not for CF9).

Absolutely they should let us know

yes

Certainly as soon as they have a fix for a security issue, Adobe should notify ALL ColdFusion customers in their database - including trial account users who have downloaded the affected version(s).

Yes they should attempt contact, but it is also a sys admin's duty to keep informed and updated/patched.

Adobe should use every means they have to let their customers / users / developers know when there is a secuirty hole in their software and that there is a patch / fix to be applied. That being said, it is still up to the admin / developers to be on the lookout for these things as well, thus the reason I subscribe to a number of blogs, follow a number of CF devs on twitter, have them on the FB and everything else I can think of.... One big suggestion, how about a listserv hosted by Adobe just for ColdFusion Security Alerts...........

I think to be an effective administrator you need to be active seeking out issues

I think that a software company should allow for customers/users to sign up for notifications, preferably with some level of granularity. Then that company should send notifications, with the proper urgency, and in the method(s) that the customer chose. This is pretty basic, no? Furthermore, I think that have applications like this should have the ability to have push notifications enabled in the Admin (ala CF 10 and up) and frankly, it wouldn't be a bad idea to back-port, at the very least, the notification part of the CF 10 auto update to prior versions of CF regardless of support level. It's just good PR if nothing else: the fewer such articles as mentioned in this question, the better it is for said software company.

They have the information, so yes they should. Perhaps not for every single update that's pushed out to CF10 via the auto updater (but why not?); but for serious security holes that have been demonstrated to cause financial damage and also damage Adobe's own reputation, it's negligent and foolhardy for them not to.
Thanks for all the great input everyone! It's good to see any insight into how other people thing, and the ideas people have. Now... what do you think about each others' opinions / comments?
--
Adam