Originally Posted by Snips from vBulletin support
All EXIF data is stripped, even on images that are not resized. EXIF data is not secure and can be used to compromise a web server.
...
Because there is no control over what is in the EXIF data. Every camera and graphics application does it own thing with this data. Users can include Javascript in these fields and exploit your site because some browsers (cough cough, IE and Edge) will execute it. Worse on an improperly configured server, you can include PHP in the EXIF data and have it processed by the server. Since we have no control over the server and have a duty to make the software as secure as possible, we remove the EXIF data.
...
Resized images are always stored as JPEG image....
...
If you're willing to store full size images (up to 4608 X 4608 and not have them resized by vBulletin then the EXIF data would most likely be retained. You would have to adjust the sizes under Attachment -> Attachment Storage Type. Both dimensions and file size have to be adjusted. If any of the three (height, width, size) go over the maximum specified, then the image will be resized, converted to a JPEG and have its EXIF stripped.