Been getting spam for quite a while in a few of my JomSocial sites so decided to take a look into why. Spam messages were somehow being left by guest users even though guest access was disabled and permissions were set to members only for group discussions. After a short while I was easily able to replicate how to to do this myself.

So wanting to the the right thing and not publicly post the exploit for others to see and abuse I emailed JomSocial support with details of the exploit and how to fix it. After waiting for a while I got absolutely no response whatsoever. I then posted a message to their Facebook feed, same thing - absolutely no reply whatsoever. Pretty ironic considering that thier Facebook page is pretty active lately telling us what a great job they are doing improving JomSocial.

Hmmnnnn what to do?

So next I post a support thread on their forum. After a couple of weeks of not receiving any official reply I gave up any expectation of ever getting a reply and simply fixed my sites myself. I eventually received an email requesting that I give examples of the exploit, screen grabs and a whole bunch of other stuff that would take up heaps of my time. I politely declined saying that they had missed their chance but offering that they could engage me professionally if they wanted me fix their code. Not surprisingly there was no reply.