Owned license trade-in feedback

[Evgenii]

Sometime many, many years ago, I paid for a lifetime license for WHMCS. I purchased reliable software - no vulnerabilities that would allow any scriptkiddy to hack into my system. Today, after many years, I receive a letter from WHMCS with a direct threat "renew or die". They suggest switching from my lifetime license to a monthly one. They write that they have found a serious vulnerability that exists in all versions of the panel. But they won't give me a fix! Only if I upgrade to a monthly license. Does this mean that many years ago I paid for a holey piece of *? Undoubtedly! What does this say about the company and the people who work for it? Decide for yourself!

[Eugene]

This is really sad but true. 

I felt the same when they launched different pricing tiers.  Initially, the price was the same for all clients 17 or 18$.

Now when they introduced pricing tiers, ideally, they should have lowered the price of the 1st plan to 5$  or so because the new companies can't afford 19$ from the beginning.  Instead, they made the 19$ pricing to the base plan and kept adding more tiers on top of it.  This is the next level of greediness, the WHMCS team did not even think of small companies.

[DennisHermannsen]

 

On 8/4/2023 at 5:03 PM, Evgenii said:

Today, after many years, I receive a letter from WHMCS with a direct threat "renew or die". They suggest switching from my lifetime license to a monthly one. They write that they have found a serious vulnerability that exists in all versions of the panel.

We received an email as well, and I think you're overreacting. There's no mention of a specific vulnerability - they just offer everyone with a lifetime a 25% discount for the next 24 months.
The "lifetime" license still required you to pay for updates and support. You would've needed to upgrade anyway. You haven't been able to renew updates/support for many years, now.

1 hour ago, Eugene said:

This is the next level of greediness, the WHMCS team did not even think of small companies.

They don't have to. Their price increases might lose them some clients, but I'll bet they makes way more money now, despite having fewer clients. That's a win-win for them; less clients to support while earning more money. If I could, I'd have done the same, and I'm pretty sure most people would.
There's plenty of alternatives to WHMCS that "small" companies can use. They are not entitled to use WHMCS.

They changed their pricing model two years ago. They don't care if you're leaving them at all.
Complaining won't change a thing. The price model works in WHMCS' favor. If it doesn't work for you guys, find an alternative.

This has been discussed in multiple threads on multiple boards for years now, and almost everyone involved in the discussion thought this would bite WHMCS in the ass. It didn't.

[bear]

2 hours ago, DennisHermannsen said:

The "lifetime" license still required you to pay for updates and support.

We would have gladly continued to pay for that, even with yet another increase in cost to it. Instead, we get a version that will disallow access if you stop paying (while paying more).  More than anything, it's that which sticks in our throat.
Though I understand the need to increase revenue, it would have gone a LONG way to soothing paid license holders if they'd provided a way for legacy license owners to continue owning and pay contiguous support (no gaps, if you lapse you need to pay back due to continue). 

Never even considered, AFAIK. 
Such is life, especially when there's a corporate backer/owner. 

[Evgenii]

This is not a complaint. This is an indictment.

I paid for software that had vulnerabilities, and WHMCS is obligated to provide a fix, not write me "pay or die" threatening emails. A month ago, Microsoft released security updates for Windows XP, which came out in 2001. It is distributed publicly and free of charge. This is the behavior of a healthy company.

About the abolition of the paid upgrade option. It is illegal. I bought the license in 2009, look at the WHMCS website at the time in the web archive, they say "Owned License - Updates & Support: 12 Months - $44.95 Optional Renewal". They sold the license with such conditions. It cost $324, a solid amount in 2009. Why now, many years later, they suddenly renegotiate the terms of our public contract concluded with him in 2009? Did he have a time limit? No. Do you see restrictions on the lifetime of a license (EOL or similar) on a site that is a public offer? No. Does the company I paid for, UK Registered Company #6265962, still exist? Yes. So why the hell should I pay for in 2023 to fix security bugs in the code they made in 2009? Should not. And it's illegal, I think.

[DennisHermannsen]

12 hours ago, Evgenii said:

I paid for software that had vulnerabilities, and WHMCS is obligated to provide a fix

They are not. If WHMCS went out of business, they would not be forced to pay you your money back.

12 hours ago, Evgenii said:

A month ago, Microsoft released security updates for Windows XP, which came out in 2001. It is distributed publicly and free of charge. This is the behavior of a healthy company.

I agree. They didn't have to, though - they just did because they wanted.

12 hours ago, Evgenii said:

About the abolition of the paid upgrade option. It is illegal.

Many people forget what they have bought. You basically owns a license for whatever version of WHMCS that is released at the time your subscription is active. That's what you buy. That's what WHMCS delivers.
I have yet to see someone providing proof of WHMCS stating they would either a) release security releases for EOL software or b) allow clients to order yearly updates and support.

What we've bought is an access to that specific version of WHMCS which we can use for as long as we want to. WHMCS does not suspend your license - it's still active.
While basically everyone can agree that it's bullshit behaviour, WHMCS isn't breaking any laws by not allowing clients to purchase updates and support anymore. That was not the product your purchased a lifetime license for - your purchased a lifetime license for version X, and through another product you could gain access to updates.

This has been discussed back and forth for years now. A lot of people wanted to sue WHMCS. It hasn't happened (at least not with a successful outcome) because there's no reason to sue.
 

[Evgenii]

I'm not asking you to upgrade version X to me. Just give me security patches for it! On the example of Microsoft: no one demands to give Windows 10 instead of Windows XP.

I bought version X. It contained vulnerabilities. I paid money. This is the company's fault. The company is obliged to correct its error. Dot.

Instead, they use their mistake as an excuse to force me to switch to a different type of licensing. They also pretend to be doing me a great favor!

[lulzkiller]

Im a owned license holder, i did not get the email. Can somebody please forward or copy paste a copy i can see ?

[bear]

17 hours ago, DennisHermannsen said:

WHMCS does not suspend your license - it's still active.

Unless you avail yourself of this offer, at which time they state clearly you are surrendering the owned one. 
Dennis has it right; you still own the license you purchased, but can no longer purchase that separate product: support for it. The license eventually becomes vulnerable or useless (or both), but it's still yours. 
I kind of expect after this deal that all patches and extended support for old versions will be dropped, and to be totally honest, if not for the uproar it would cause (legally and publicly) I believe they'd prefer to kill all the owned licenses outright. It's less profitable, even if it did help finance the product in the early years by those of us that were gullible enough to think owned meant forever usable. Kayako did it, WHMCS did it, there will be others.

[DennisHermannsen]

On 8/9/2023 at 7:12 PM, Evgenii said:

I bought version X. It contained vulnerabilities. I paid money. This is the company's fault. The company is obliged to correct its error. Dot.

You have a distorted view of how software licensing works.
There's multiple vulnerabilities in Windows 95 that hasn't been fixed, nor ever will be. If you paid for Windows 95, you're not entitled to a refund.
When you buy a license, you buy it "as is". It's standard for pretty much every license you buy, and it's even included in the EULA for WHMCS.

There is a reason the version of your WHMCS is EOL'ed. You can't expect any company to keep supporting specific versions of a software.

Again: WHMCS isn't doing anything wrong.
 

[Remitur]

13 hours ago, DennisHermannsen said:

You have a distorted view of how software licensing works.

In some countries, he is right.
Remember i.e. that in Europe they're debating a law about the liability rules for software, including free software
https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

https://fsfe.org/news/2023/news-20230323-01.en.html

So the author of any software will be responsible for his products for years to come...

[bear]

14 hours ago, DennisHermannsen said:

WHMCS isn't doing anything wrong.

Aside from morally. 😉

[Evgenii]

In this case, advice to everyone who is thinking of participating in this miracle "Promotion" for switching to monthly licenses with hints of blackmail hacking:

Better spend that money on a good WAF with a subscription, and don't worry about security.

Well, yes, I will not pay a penny more to such a company. That is my answer.

[bear]

1 hour ago, Evgenii said:

hints of blackmail hacking

I'm thinking that needs explaining. 

[WHMCS John]

Hi @Evgenii,

We work continually to improve the product including several major feature releases per year and many more maintenance releases in between. The changes we made in 2021 are essential to ensure continued compatibility with the over 150 3rd party services WHMCS integrates with natively, and so that we may continue to evolve and excel.

Please rest assured that you can continue to use the version of the WHMCS software purchased with your Owned license 12 years ago indefinitely, and we have honoured all Support & Update packages you purchased for access to subsequent updates to their conclusion.

Software maintenance and security updates are provided in line with our published Long Term Support policy. I believe you may be referring to our Security Update from June 2023. Due to the age of the version of WHMCS you're running (v5.3) a security update is not available for a release from 7 years ago. We are committed to provide security updates for at-least 1 year from the original release date, this is considered to exceed minimum requirements set out in current applicable laws. In the instance of the Security Update 2023-06-20, we further exceeded this by providing security updates for versions of the software originally released 3 years ago.

We do recommend running a current version of WHMCS to benefit from this security update and others,  compatibility with in-support versions of PHP, and many new features.

As you have highlighted, an additional optional payment was always required to access new software releases and technical support, the difference is that now the payment is monthly.  We appreciate that nobody likes a price change, so are pleased to offer a 25% discount for 2 years to help smooth the transition.

 

On 8/10/2023 at 12:56 AM, lulzkiller said:

Im a owned license holder, i did not get the email. Can somebody please forward or copy paste a copy i can see ?

Hi @lulzkiller,

We likely didn't have consent to send marketing emails to you. Please opt-in via https://www.whmcs.com/members/clientarea.php?action=details and we'll be sending a follow-up in the next week or so.

[Evgenii]

56 minutes ago, WHMCS John said:

Hi @Evgenii,

We work continually to improve the product including several major feature releases per year and many more maintenance releases in between. The changes we made in 2021 are essential to ensure continued compatibility with the over 150 3rd party services WHMCS integrates with natively, and so that we may continue to evolve and excel.

Please rest assured that you can continue to use the version of the WHMCS software purchased with your Owned license 12 years ago indefinitely, and we have honoured all Support & Update packages you purchased for access to subsequent updates to their conclusion.

Software maintenance and security updates are provided in line with our published Long Term Support policy. I believe you may be referring to our Security Update from June 2023. Due to the age of the version of WHMCS you're running (v5.3) a security update is not available for a release from 7 years ago. We are committed to provide security updates for at-least 1 year from the original release date, this is considered to exceed minimum requirements set out in current applicable laws. In the instance of the Security Update 2023-06-20, we further exceeded this by providing security updates for versions of the software originally released 3 years ago.

We do recommend running a current version of WHMCS to benefit from this security update and others,  compatibility with in-support versions of PHP, and many new features.

As you have highlighted, an additional optional payment was always required to access new software releases and technical support, the difference is that now the payment is monthly.  We appreciate that nobody likes a price change, so are pleased to offer a 25% discount for 2 years to help smooth the transition.

I don't need your support for 150 integrations and other nonsense. I write all the necessary integrations myself. You sold me code with vulnerabilities and now you want to pay even more to fix them. You encrypted the code so I can't fix your mistakes myself. Therefore, you are required to provide me with a correction of your mistakes made in version 5.3. Instead, you are blackmailing your clients.

[Evgenii]

1 hour ago, bear said:

I'm thinking that needs explaining. 

I'm talking about this newsletter:

Of course, we were talking about this vulnerability:

https://blog.whmcs.com/133735/security-update-2023-06-20

Quote

An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS.

We have published new releases for active and LTS versions of WHMCS (v8.7 and v8.6) as well as a patch for EOL versions v8.5. Patches will not be released for any earlier versions of WHMCS.

How to call it otherwise than blackmail and extortion?

[lulzkiller]

The primary concern for me isn't the jump from $0 to a $100 monthly fee due to our growing user base that counts +1000 users.... It's the fact that our WHMCS is intricately tailored with numerous unique plugins. A simple update isn't feasible; we'd be looking at a $10,000-$20,000 expense just to ensure all plugins are compatible post-update. We have another WHMCS license for a different company that's up-to-date, and we're acutely aware of the issues each update presents. Every minor alteration can potentially disrupt a plugin. Our main license is currently on version 8.2.1, and frankly, most updates since then haven't been beneficial for us. We don't utilize many of the "features" added, which seem to be more for WHMCS's financial benefit than ours. So besides php8, not a single feature since our owned license 8.2.1, have any use for us. We will stick with our owned license instead and not be upgrading. 

[bear]

5 hours ago, WHMCS John said:

the difference is that now the payment is monthly

And forces continuity or lose admin access. That's another difference.
I get it. Not thrilled, but things move on. Nothing was done illegally, it simply hurts to have the price increase at the same time as losing "ownership", such as it was. 

I am quite thrilled WHMCS did allow somewhat more recent versions to get patched for the recent security issue, but it's understandable that doesn't extend to all versions from all time. If you really are on a 5x version...it may be time to consider leasing. I'm on an early 8x and nervous about it. 

[WHMCS John]

5 hours ago, Evgenii said:

I'm talking about this newsletter:

It is sensible advice to run your web stack on current and in-support versions of each part of the stack; Operating System, Webserver, MySQL, PHP and finally the application on top. There's nothing controversial about that 🙂

[Evgenii]

8 hours ago, bear said:

If you really are on a 5x version...it may be time to consider leasing. I'm on an early 8x and nervous about it. 

We all know very well that with each new update you add not only features, but also security bugs. From this point of view, 5x with WAF is already much safer.

7 hours ago, WHMCS John said:

It is sensible advice to run your web stack on current and in-support versions of each part of the stack; Operating System, Webserver, MySQL, PHP and finally the application on top. There's nothing controversial about that 🙂

Building a modern stack with PHP5 is very easy. Backporting all security patches in PHP5 is very easy, it's open source. At the same time, neither for the operating system, nor for PHP, I did not pay a cent. I paid you a handsome sum, but you are so greedy that you are not even able to release security patches once a year.

[WHMCS John]

@Evgenii There sure are some great benefits to FOSS. However, WHMCS is and always has been commercial software for businesses, meaning that a different paradigm applies.

 

@lulzkiller We love that businesses have integrated our platform to automate so many facets of their operations and are cognizant that an upgrade can be a big undertaking in those situations. Due to this, when a security update is made we try to provide them for as many past releases as practical, and for the past 5 years all our security updates have exceeded the Long Term Support policy.

If you didn't get your installations updated for our June security update, please open a ticket and Technical Support can assist: https://www.whmcs.com/submit-a-ticket/

 

 

[Evgenii]

1 hour ago, WHMCS John said:

@Evgenii There sure are some great benefits to FOSS. However, WHMCS is and always has been commercial software for businesses, meaning that a different paradigm applies.

Yep, so freeware is more responsible than you getting paid for your product.

And even Microsoft releases free updates for Windows XP even though they haven't sold it in 15 years.

Seriously, if you don't release security updates for all versions of WHMCS used by your customers, you're signing your own judgment. No one else with serious intentions will buy your licenses.

Edited August 16, 2023 by Evgenii

[DennisHermannsen]

15 hours ago, Evgenii said:

We all know very well that with each new update you add not only features, but also security bugs. From this point of view, 5x with WAF is already much safer.

Your version of WHMCS undoubtedly has more vulnerabilities than any recent version of WHMCS.
If you're paying for a monthly subscription, you are able to install security patches as soon as WHMCS releases them - that's not a luxury you have. A WAF running in front of a software that hasn't been updated in ~9 years (and has known vulnerabilities) on a version of PHP that has been EOL'ed for ~5 years (that has known vulnerabilities) will never provide you with the same security as running on updated software.
No one here cares what you do, though - but I hardly doubt your customers would appreciate you putting their data at risk.

I understand that WHMCS' change to their pricing model is upsetting - it was to us as well. While we don't agree with how their pricing model works, we understand the need to increase prices.
We had a few choices:

• Build (and maintain) our own in-house solution. This would take a lot of time and resources - and we would probably do a worse job at finding and patching exploits than the WHMCS developers
• Go with another CMS - unfortunately, nothing really compares to WHMCS regarding the features we're looking for
• Accept the price change and continue using WHMCS. This was the easiest solution since WHMCS helps us earn hundreds of thousands of dollars each year. Paying around $1200 per year (not even close to 1% of our annual revenue) meant we didn't have to do anything and could continue without any trouble. I know many companies annual revenue will be much lower, but so should their pricing tier be. We wouldn't even be able to have an agency develop and maintain a custom solution for that amount each year.

6 hours ago, Evgenii said:

And even Microsoft releases free updates for Windows XP even though they haven't sold it in 15 years.

WHMCS also releases security patches to some of the versions that they have EOL'ed. Neither Microsoft nor WHMCS has to do it, though. They just deemed it necessary.
Since Microsoft released the latest security patch to Window XP (4 years ago if I'm not mistaken), multiple new vulnerabilities has been found but these aren't receiving official patches.

WHMCS does a lot of things wrong, and I tell them regularly - but we need the software. We can work around the shortcomings of the software, we can extend the functionality and we don't really have to care about security as much.

7 hours ago, Evgenii said:

Seriously, if you don't release security updates for all versions of WHMCS used by your customers, you're signing your own judgment. No one else with serious intentions will buy your licenses.

You keep talking like everyone is going to stop using WHMCS due to these changes. The changes were made more than 2 years ago, and it seems like WHMCS are thriving - a lot of new features are added. Although it's questionable how many of those features were ever requested by anyone.
We all get that you're frustrated - but there's no proof that WHMCS has doomed themselves as everyone thought.

Believe me: You are wasting your time complaining to WHMCS about their pricing. At the moment, you're not even a paying customer - they won't lose anything if you use another CMS.

[Evgenii]

Oh, I really like your message. I can tell you're the kind of professional liar who throws unsupported arguments at us, hoping no one will check.

5 hours ago, DennisHermannsen said:

Your version of WHMCS undoubtedly has more vulnerabilities than any recent version of WHMCS.

An unsubstantiated claim that you have no way of proving.

5 hours ago, DennisHermannsen said:

If you're paying for a monthly subscription, you are able to install security patches as soon as WHMCS releases them - that's not a luxury you have.

List the "known vulnerabilities" other than the one WHMCS is threatening all its customers with right now. By the way, it was also in your version exactly 2 months ago, and you could very well have been hacked through it. How much you get out of your subscription, what a great level of security! It makes you want to say "Shut up and take my money".

5 hours ago, DennisHermannsen said:

on a version of PHP that has been EOL'ed for ~5 years (that has known vulnerabilities) will never provide you with the same security as running on updated software.

https://access.redhat.com/solutions/409673

Quote

Red Hat will backport any bug fixes or security errata that are relevant to the version of PHP that is part of Red Hat Enterprise Linux.

PHP5 is still safe to use. And you're lying.

5 hours ago, DennisHermannsen said:

YNeither Microsoft nor WHMCS has to do it, though. They just deemed it necessary.
Since Microsoft released the latest security patch to Window XP (4 years ago if I'm not mistaken), multiple new vulnerabilities has been found but these aren't receiving official patches.

https://www.microsoft.com/en-US/download/details.aspx?id=55429 Security Update for Windows XP SP3 (KB4024323)
It was released the day before yesterday. Not four years ago, and you're lying again.

5 hours ago, DennisHermannsen said:

Although it's questionable how many of those features were ever requested by anyone.

Features that no one uses. Every update causes pain and a lot of bugs. No one uses the "vanilla" WHMCS, everyone modifies it to suit themselves. And in that vein, 99% of WHMCS customers don't need new features. They just need security updates for their particular version, and they're willing to pay for it. So what does WHMCS do? Like crazy, stamps 1 major version per year (announcing all of last year's EOLs of course), forcing all of its customers to choose between suffering or "freezing" their version. This is what others in this thread (ah yes, you didn't read it, sorry) have been writing to you about.

Summarizing:

The old version of WHMCS with PHP 5 in 2023 is safe to use, all you need to do is install the security patch. WHMCS, taking advantage of the fact that there is a vulnerability, is trying to profit and blackmail their customers by not giving the patch. They invoke some kind of Long Term Support policy that didn't exist when I personally made the deal with them. They sold me software that is safe to use in 2023 (OS, MySQL, web server and PHP allow it), but which contains vulnerabilities that WHMCS personally allowed. They got paid for this software. But now they refuse to fix their bugs, citing a document they themselves made up a couple years ago. Even Microsoft doesn't behave like that.