[Info-vax] DECnet Phase IV and VMS code comments
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Nov 28 09:03:10 EST 2016
On 2016-11-28, David Froble <davef at tsoft-inc.com> wrote:
> Simon Clubley wrote:
>> A really simple example: VSI _still_ didn't have a secure security
>> vulnerability reporting mechanism established the last time I checked
>> their website; they seem to be completely dismissing the possibility
>> that security issues may be reported by unrelated third parties who
>> may expect things to be done in a certain industry established way.
>
> Ya know, before you mentioned it, I was unaware that "security researcher" was a
> profession. I'm still a bit skeptical. "Industry established way", hmmm,
> another declaration of standards I'm unaware of. Guess I REALLY don't get out
> much ....
>
You _really_ need to get out more David. :-)
Google for "responsible disclosure" and do some reading; the world is
very different from the way that you appear to perceive it to be.
Basically, the security researcher tells the vendor via a secure
mechanism that the vendor has a problem and typically gives the
vendor around 60 days to fix it before the problem, including exploit
details, is made public.
That's the standard in today's world.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list