[Info-vax] DCL vulnerability write up on The Register

[Simon Clubley]

On 2018-02-08, Bill Gunshannon <bill.gunshannon at gmail.com> wrote:
>
> This should be sent to the Register as well.  This kind of bad
> performance is just up their alley for reporting.
>

Then you would have to include VSI management. If the HPE information
is at all recent, then neither VSI management or HPE have exactly
covered themselves in glory here.

1) Trying to get a CVE out of VSI was a very long painful drawn out process.

2) There's no information on the VSI website about security incidents,
fixes and workarounds.

3) Even now, their security reporting mechanism is still in testing.

4) Things should have started happening (including CVE assignment)
after the first part of my discovery (getting into supervisor mode).
It shouldn't have waited until I worked out how to turn it into an
exploit, given that this knowledge was clearly already known internally.

So far, VSI Engineering are the only people who have performed to the
standards I would expect.

BTW, I made a point of asking VSI in the early days of this incident
if they would notify HPE and they said yes so HPE should have known
about this for quite some time.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world