[Info-vax] VSI's lack (still) of a secure security reporting mechanism, was: Re: VMS and the Internet of Things (IoT)
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Oct 3 21:40:54 EDT 2016
On 2016-10-02, Kerry Main <kemain.nospam at gmail.com> wrote:
>
> As discussed in this thread, in the rush to create IoT devices,
> few IoT vendors have thought much about IoT security.
>
And as also discussed in this thread, VSI _still_ doesn't even have
any method on their website for a third party security researcher to
securely contact them with sensitive information about VMS
vulnerabilities. This public and secure reporting mechanism is
security 101 these days, especially when an organisation is selling
their products based on a security reputation.
Here's HPE's reporting mechanism (once again):
https://www.hpe.com/h41268/live/index_e.aspx?qid=11503
Quote: "The Hewlett Packard Enterprise PSRT is dedicated to providing
responses to reports of potential security vulnerabilities in a timely
manner."
This is Microsoft's reporting mechanism:
https://technet.microsoft.com/en-us/security/ff852094.aspx
Quote: "The Microsoft Security Response Center investigates all
reports of security vulnerabilities affecting Microsoft products and
services. If you are a security researcher and believe you have found
a Microsoft security vulnerability, we would like to work with you to
investigate it."
This is IBM's reporting mechanism:
http://www-03.ibm.com/security/secure-engineering/report.html
Quote: "Security researchers, industry groups, government
organizations and vendors concerned with product security can report
potential security vulnerabilities directly to IBM PSIRT."
Here's Red Hat's:
https://access.redhat.com/security/team/contact
Quote: "Red Hat takes security very seriously, and we aim to take
immediate action to address serious security-related problems that
involve our products or services."
It's pathetic that VSI don't have anything similar (with similar
"we want to work with you" type language) on their website; it
will send out a very bad message to any security researcher trying
to help VSI by reporting a security issue to them.
Once again, a secure security bug reporting mechanism is security 101
these days and we shouldn't even be having this conversation because
it should simply be there on the VSI website ready for a security
researcher to use.
BTW, all the above are fully compliant with today's standards and
are perfectly suitable, but if I had to choose, I would choose the
IBM one as a general template.
With IBM, you have the traditional encrypted email option but you
also have an online secure submission form option. IBM also directly
address what the security researcher's disclosure plans are and the
timeframe in which they intend to make that disclosure.
It would be interesting to know if this whole area was even
discussed at the Bootcamp.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list