[Info-vax] VSI's lack (still) of a secure security reporting mechanism, was: Re: VMS and the Internet of Things (IoT)

David Froble davef at tsoft-inc.com
Tue Oct 4 23:34:24 EDT 2016 

Simon Clubley wrote:
> On 2016-10-04, David Froble <davef at tsoft-inc.com> wrote:
>> Tym Stegner wrote:
>>> The last page of VSI roadmap provides an email address for any questions regarding VMS:
>>>
>>>     For more information, please contact us at: RnD at vmssoftware.com
>>>
>> Now, now, don't go busting Simon's bubble, he's having so much fun with it ..
>>
> 
> Sorry you think that David, but I am not having fun with this.
> 
> What I am feeling however is increasing concern that the VMS community
> may be sleepwalking, due to complacency, into a security situation
> that it is ill prepared to deal with and which could go bad very quickly.

I'd agree with that.

> My attitude is that I am trying to do people a favour by trying to make
> them realise that the security situation with regards to VMS is about
> to change big time and to jog them out of that unjustified complacency.
> This is not about me having fun.
> 
> We have VMS about to become available on common x86-64 hardware and we
> have a vendor (VSI) shouting from the rooftops about how massively
> secure VMS is and believe me, this latter point will be like waving
> a red flag not to a single bull but to a whole herd of them once the
> right security researchers become aware of it.

Yes, and it's both a problem, and an opportunity.  VMS will need to close any 
possible avenues of attack.  But if it does, and researchers start talking like 
the way back DEFCON people did, it could be an advantage.

> And please don't say how things were ok back in the 1980s/1990s because
> while you are correct, you also need to understand how much things have
> changed since then.
> 
>> :-)
>>
>> But, yeah, if I found an issue, I'm sure I could find someone to discuss it 
>> with.  Don't need so much formality ....
> 
> Then why do all the other major OS companies on the planet all invest
> in formal reporting mechanisms and security teams which allow the
> security researchers to communicate _easily_ and _securely_ with the
> companies in question ?
> 
> You really don't want to make the security researchers run through
> a maze trying to find people to contact in a _secure_ manner at VSI
> especially when no other major OS company, including HPE, makes them
> do that.

I'm not such a formal guy, not like Dirk with his RFCs, and your need for some 
formal reporting mechanism.  As I wrote, I'm sure anyone with enough knowledge 
also has knowledge of VSI, and could contact them, if desired.

I also still feel that your "I'm giving you X days, and then I'm going to expose 
this problem" attitude is not so good, being kind in my description.  Don't 
bother to argue, I doubt there is anything you can say to change my mind.  We're 
just going to have to disagree.

> Simon.
> 
> PS: Oh, and I already sent VSI email on this subject to the above
> RnD address back somewhere in the middle of August.
> 

And I do believe that it's been reported that VSI is talking about this 
internally.  Don't know what's your hurry, unless you're expecting the x86 port 
tomorrow ....

More information about the Info-vax mailing list