vBulletin / Charging for security fixes/patches
vBulletin is arguably the best forum software available. I have been a customer for nearly 10 years and have used their forum software in addition to phpBB and Invision Board. I keep going back to vBulletin because of its ease of use and powerful functionality. However, things seem to be changing over there at vBulletin headquarters of recent. They have developed a new and distasteful practice of charging customers for security fixes. When a company begins to establish practices that follow the line of blatant irrationality, it's time to start looking for other options.
Case and point: I currently own a license for vBulletin 3.6. It has been vBulletin's policy in the past to offer free security patches to customers with the same vulnerable version, which is quite logical (due to the very nature of php, it's always plagued with security problems). However, with a recent finding of a significant security hole, vBulletin released version 3.6.11 patch level 1 which fixed a flaw that could allow an attacker to compromise another user's account. Silly me, I thought I could get this patch free of charge as I had in the past. However, I found that it was not in my download area of the "Member Area" of vBulletin's website. Confused, I called their 800 number and spoke with a rep who only wished to argue. He told me that even though I had an "owned license" I was not eligable for this "upgrade". I proceeded to inform him that I wasn't interested in an "upgrade" and that I simply wanted the patch fixed. He informed me that I could have the patch fixed by upgrading for another year for $60. I then asked him if this "upgrade" contained any new features and enhancements to which he answered "No, just this security patch and bug fixes". I asked to speak to a supervisor and was informed that Steve Machol (vBulletin's customer support manager) is the only person who can wave the fee, and further more that he can only be reached by sending a general support inquiry via email, with his name in the subject line. So, I sent Steve an email and have waited for 2 weeks for which I have yet to receive a response. I have had no choice but to pay for the security fix as my forum was left wide open for attack.
It is absolutely shameful that a company would charge it's customers for security holes, disguized as "upgrades" when only patches and bug fixes are part of the package you are paying for. Thus I cannot recommend vBulletin to anyone unless they are willing to pay the price of future "upgrades" and security holes that will surely (and always have) plague this forum software.