[Info-vax] Should VSI create a security bug bounty program for VMS ?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Thu Sep 1 11:16:23 EDT 2016 

On 2016-09-01 13:22:49 +0000, Simon Clubley said:

> On 2016-08-30, Kerry Main <kemain.nospam at gmail.com> wrote:
> 
>> Commodity OS's have 20+ security patches released each and EVERY month. 
>> Security patches - not normal bug patches. Yes, not all apply to all OS 
>> versions. Not all apply to the Products or services these OPS group 
>> actually use.
> 
> And VMS would be seeing a lot more patches if it's internet related 
> components were updated at the rate they should be.

Ayup.

Do I like patches that often?  No.   But I like patches and critical 
updates that are months or years late even less.   That delay just 
leaves everybody open for shenanigans, from whatever activity or 
exploit or disclosure triggered the original development of the patch, 
or from anybody that can read the CVEs and the exploits and do a little 
digging.

In areas where the sources are common — various of the web-facing 
components and some security components — OpenVMS is missing a whole 
lot of those patches and updates.    The DNS server version on OpenVMS 
— not exactly an inconsequential component of network security — is 
long deprecated, for instance.  It's a good bet that some of the 
patches related to the DNS server also apply to OpenVMS, too.

Even what are considered high-priority security patches usually arrive 
a month later on OpenVMS.   On other platforms, those patches are 
either immediately available, or arrive within a day or two.

Then there's how much I despise having to periodically and manually log 
into a patch portal and check for new patches and download the patches 
and unpack the patches and read the patch installation notes and then 
copy the patches to the target servers and issue the manual patch 
commands and run the rolling reboots or whatever other updates are 
required.   This whole patch process is patently absurd.

Pointing at dozens of patches for the other platforms might makes for 
some decent vendor marketing, certainly.  Pointing at a long-deprecated 
DNS server version and at OpenSSL patches that are usually a month late 
and that are probably then not very widely or quickly installed, or 
that OpenVMS might not see some applicable fixes and patches for years 
— which is what end-users such as Stark and other OpenVMS customers 
encounter — not so much.

Then there's that — (should? when? if?) OpenVMS becomes more 
successful, and as OpenVMS inherently increases in scope and scale, and 
as OpenVMS incorporates more open source — the most probable patch 
trend will be an increasing number of patches and/or the need to 
install at least certain patches or updates much more quickly, and 
quite probably both.







-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list