Since this NATS issue is a little special I don't want to comment on it. However, I can talk about what we have done and do.
About 3 years ago we hired well known hacker to try to hack the MPA3 program. He was of very good help to us and we learned a lot from him. Not only about the script itself, but also how the server should be setup and what should be set and not in the OS to make it all as secured as possible. Ever since then we have demanded that these server settings are met before setting up the MPA3 on their server.
A year or so later we hired a new hacker to try to hack in, and it showed that he couldn't hack in through MPA3. Then one of the bigger companies wanted to move over to MPA3 from another affiliate software company. They requested that MPA3 had to be audited by a third party audit company. We had no problems with that, and a while later we got the papers back from them. They had only good things to say about the code. Actually they gave us props for the way it was written and secured.
I do not say that MPA3 is unbreakable. I guess no software is. However, we do know how important security is for all parties. There is a lot of sensitive information on the server, and we for sure will do everything in our power to make it as hard as possible for any hacker to get in.
If we do get a hack report, even a smallest suspicion that something is wrong, we drop everything and jump right on it with the whole team of programmers. And if need be, we make sure that all MPA3 installs are patched ASAP.
The last 2 1/2 - 3 years we have had one incident I believe. But that turned out to be that PHP was not in safe_mode any longer as what we recommend it to be. The host had turned that off by an accident.
We also have some hacker traps in MPA3 as well but I can not really go in to details about them, I ask for your understanding there.
Security is always a challenge, but let the hackers know, we NEVER sleep!
