[Info-vax] Should VSI create a security bug bounty program for VMS ?

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Sep 1 09:13:41 EDT 2016 

On 2016-08-31, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2016-08-31 01:17:17 +0000, Simon Clubley said:
>
>> On 2016-08-30, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>>> 
>>> Why look for (more) holes when more than a few of core network services 
>>>  and tools ? Apache, NTP, DHCP, php, Java, SMH, etc ? are problematic, 
>>> and when there are lists of CVEs available?   VSI is certainly working  
>>> on at least some of these areas, with a more recent Apache and Java 
>>> reportedly underway, and a new IP stack in development, among other 
>>> projects.
>> 
>> Because when you make a comment like that you are not thinking about 
>> this in the way that you should be.
>
> I'm not inclined to go looking for new holes.   When the proverbial 
> "low-hanging fruit" is plentiful, looking for truly sneaky holes is 
> wasted effort.
>
> The most recent version of Java available for OpenVMS, for instance, 
> has ancient and insecure crypto.   SMNPv2 is unencrypted.  Apache, 
> DHCP, php, SMH, etc, are down-revision and have vulnerabilities...
>

And I completely agree with all that. VSI (and HP) should be handling
all this automatically without it even needing to become a topic for
discussion. The fact they are not is a major failing in both of their
processes and makes a joke out of their (especially VSI's) strong
security marketing.

I'm thinking more about what's going to attract security researchers
to invest time in looking at VMS in the first place and the fact it's
something different and with this strong security message from it's
vendors is really good motiviation for those researchers.

> Get a current foundation in place, get current tools in place, then go 
> looking for more.   Once security is more competitive and more robust ? 
> ASLR, sandboxing, etc ? and when the funding is available for it, then 
> start increasing the costs of the security bugs in the market through 
> programs such as a bug bounty.
>
>> VMS itself OTOH represents something new to most security researchers 
>> and it's an operating system that one of it's vendors says the 
>> following about:
>> 
>> 	https://vmssoftware.com/products.html#security
>
> Maybe I've been too subtle in my comments?   I find that particular VSI 
> marketing problematic.   For various reasons.  I'm aware of the 
> responses it can engender.
>

Thanks for making that clear; I wasn't sure what you thought about that.

>> When you say things like that, some outside researchers will see that 
>> as a challenge and as a way to make a name for themselves if they find 
>> several exploits in an operating system described as...
>
> I already pointed to a comment from one of the folks involved in the 
> DEFCON attacks that stated exactly that.  
> http://labs.hoffmanlabs.com/node/1004#comment-786
>

I wasn't aware of that comment thanks. It confirms my position that if
VSI continue saying the kinds of things that they are currently saying,
then they need to be aware of what is going to happen and how they
_seriously_ need to up their game in preparation for when it does.

>> BTW, that RMS bug is a nasty one and is also a good example of issues 
>> that might be lying around which can blow VMS security wide open atb 
>> any time. Imagine what could have happened if an external researcher 
>> had found that and reported it using full disclosure instead of 
>> responsible disclosure.
>
> OpenVMS security has issues, and I'll (again) not comment further.
>

That's understandable given your insider insights. I hope you are
trying to push VSI to address your concerns however.

> If y'all find bugs in OpenVMS, send'm to VSI.   Or not.
>

If I did find something then I most certainly would, bug bounty or no
bug bounty and I would do it on a responsible disclosure basis. Would
be nice to have some industry standard secure way to send sensitive
material to VSI however.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list