[Info-vax] VSI's lack (still) of a secure security reporting mechanism, was: Re: VMS and the Internet of Things (IoT)
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Oct 4 15:23:34 EDT 2016
On 2016-10-04, David Froble <davef at tsoft-inc.com> wrote:
> Tym Stegner wrote:
>> The last page of VSI roadmap provides an email address for any questions regarding VMS:
>>
>> For more information, please contact us at: RnD at vmssoftware.com
>>
>
> Now, now, don't go busting Simon's bubble, he's having so much fun with it ..
>
Sorry you think that David, but I am not having fun with this.
What I am feeling however is increasing concern that the VMS community
may be sleepwalking, due to complacency, into a security situation
that it is ill prepared to deal with and which could go bad very quickly.
My attitude is that I am trying to do people a favour by trying to make
them realise that the security situation with regards to VMS is about
to change big time and to jog them out of that unjustified complacency.
This is not about me having fun.
We have VMS about to become available on common x86-64 hardware and we
have a vendor (VSI) shouting from the rooftops about how massively
secure VMS is and believe me, this latter point will be like waving
a red flag not to a single bull but to a whole herd of them once the
right security researchers become aware of it.
And please don't say how things were ok back in the 1980s/1990s because
while you are correct, you also need to understand how much things have
changed since then.
>:-)
>
> But, yeah, if I found an issue, I'm sure I could find someone to discuss it
> with. Don't need so much formality ....
Then why do all the other major OS companies on the planet all invest
in formal reporting mechanisms and security teams which allow the
security researchers to communicate _easily_ and _securely_ with the
companies in question ?
You really don't want to make the security researchers run through
a maze trying to find people to contact in a _secure_ manner at VSI
especially when no other major OS company, including HPE, makes them
do that.
Simon.
PS: Oh, and I already sent VSI email on this subject to the above
RnD address back somewhere in the middle of August.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list