How does Envato justify selling outdated templates, themes, etc. with known vulnerabilities?

Envato, I hate to say it, but you are actively, and willingly, distributing vulnerable code, turning your customers websites into hacking magnets!

Don’t get me wrong, I like your site, and the concept of selling re-usable code. But, when that code is based on a platform, keeping track of which version of the platform the code was based on becomes crucial information that must be included and disclosed PRIOR to the sale.

Any template, theme, platform-based code, etc, MUST provide any initial, updated and current versions of any platform the code was based on (js, bootstrap, CMS, etc.). Right now, customers are flying blind until AFTER we’ve purchased a product (and searching through the actual code), thinking we’ve saved a crap ton of time, only to find out we have to re-write the damn thing ourselves. FFS, it defeats the whole purpose of your site, not to mention the whole legal ramifications turning every customer’s site into a hacking magnet!

As it stands, you have vulnerable products that have been sold for years. Some sellers have kept their products up-to-date, others have not. Any seller that has not, should be a little suspect. (I’m not saying they’re all bad actors, but it only takes one, right?) If you make at minimum versioning details, and hopefully in the near future verification a requirement, then you can automate this whole process, disabling products when vulnerabilities are discovered, until they are updated. Until then, how are we supposed to address vulnerable products that are ACTIVELY for sale in YOUR marketplace? Because, I just inherited one developed with jquery 2.1.3 and bootstrap 3.3.4, re-bought it, thinking the update from a year ago would’ve included jquery and bootstrap updates, but it didn’t. (The update log did not specify any versioning, either.)

BTW, when the vulnerabilities were brought up in the comments of this particular template, the seller said there are no plans to update it, but I’m free to update it on my own! Brilliant!! Side note, that site template has been sold more than 4,400 times! That’s quite a honeypot!

One Frustrated Bird,

Out of interest do you have an example of a marketplace that uses the same model as here which does this? Or how verification could/would work here?

The issue is that, unlike many other marketplaces, envato don’t own the copyright to these items or host them, so I’m not sure how they would verify/moderate item status (past initial review) on the volumes that there are here.

Both jquery and bootstrap are client-side frameworks and this null any real security issue…
I think you’re worried without a valid reason.

Jquery 2.1.3 and bootstrap 3.3.4 are safe to use, including Jquery 1.0 and Bootstrap 1.0 :wink:

Actually, Envato is aware of that and are working on it - at least when it comes to outdated WordPress themes, not sure about other categories though.
However, when it comes to stuff like Bootstrap, there really is not reason to force authors keep their items working with its latest versions. Template built on Bootstrap 1 should still be perfectly functional. If the author mentions which version of Bootstrap his item is using in the item description, then I don’t see any issue there.

However, real outdated items (like CMS ones which do not work on latest version of respective CMS or latest version of PHP) are definitely an issue, not just for buyers, but for us authors too. They just clogging up the search results making harder for people to get to items which are kept up to date.