[Info-vax] Should VSI create a security bug bounty program for VMS ?
David Froble
davef at tsoft-inc.com
Thu Sep 1 10:24:11 EDT 2016
Simon Clubley wrote:
> On 2016-08-30, Kerry Main <kemain.nospam at gmail.com> wrote:
>> What do think the % of hackers is that have the level of understanding to
>> hack an OpenVMS account?
>>
>
> One hell of a lot more than currently exist when VMS becomes available on
> x86-64 hardware, especially if VSI do some kind of hobbyist program.
>
>> SMG was a biggie. Agree. Finger was an issue back 15+ years ago as I recall,
>> but let's be real - how many OpenVMS sites ever turn on the TCPIP Finger
>> service?
>>
>
> That's not the point; the finger problem appears to have been a format
> string vulnerability; if so, it should never have passed code review
> in the first place. The obvious questions is do any similar problems
> exist in other parts of the stack ?
>
>> Commodity OS's have 20+ security patches released each and EVERY month.
>> Security patches - not normal bug patches. Yes, not all apply to all OS
>> versions. Not all apply to the Products or services these OPS group actually
>> use.
>>
>
> And VMS would be seeing a lot more patches if it's internet related
> components were updated at the rate they should be.
>
> Simon.
>
Yeah, it's a bit hard to "hack" something you cannot make a connection to ..
More information about the Info-vax
mailing list