I know the main vulnerability, it is that you are unprofessional in operating the system and you are too cheap to do things right.
This is probably the highest security bounty of any forum. It's only a little less than Google's security bounties. After this attack, the forum spent over 100 BTC on security-related stuff. Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.
Contrary to common belief, there is no magic wishing well into which you can throw money and instantly get good results. Often, it's better not to spend money, especially when growth is not the forum's main goal. You always seem to want me to spend thousands of bitcoins as quickly as possible. This would be a great way for the forum to lose a lot of its money without gaining much value in return.
If you don't like how I spend the forum's money, you can:
- Use reasonable arguments (not just trollish demands/complaints) to try and convince me; or
- Create your own organization, generate 6000+ BTC (mostly
not from donations), and try some alternative strategy.
I already explained to you that you need to start by using a reverse proxy service such as cloudflare. They have setting that will stop some exploits before they ever reach the server and they have custom settings to block various exploits. $200/month.
No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped. Same for any automatic exploit detection based on patterns. Unless DoS attacks get
really bad, I won't be willing to give up control of the forum's HTTPS keys.