[Info-vax] VMS First-Boot on x86 Contest

[IanD]

On Monday, April 23, 2018 at 8:02:08 AM UTC+10, Simon Clubley wrote:

<snip>

> 
> Also, Mitre told VSI that giving credit to the researchers is
> important and that Mitre hoped VSI would amend their original
> notification to include that, which they have still not done.
> 
> As mentioned previously, in my case I'm not really annoyed VSI didn't
> do that because that isn't why I did this work. However, if VSI
> try the same stunt with the third party researchers and refuse to
> give the researchers credit, those researchers are likely to get
> rather annoyed with VSI.
> 

Absolutely

Showing publicly you have good working relationships with security institutions goes a long way to bolstering your public image that your on top of security issues

To not do so IMO goes back to DEC days where vulnerabilities were a closed mouth situation, speak no evil and your customer will think they are ok

Public ramifications these days trump the desire to look squeaky clean by never airing dirty laundry. It's a mugs game. Information always gets out and then your left defending your position as to why you didn't disclose earlier and why you left your customers vulnerable  

> BTW, in case anyone wonders, the reason why I know what Mitre said
> is because I had a brief email discussion with them when I was trying
> to find out why the CVE hadn't been made public yet at that point
> in time, which was way past when it should have been.
> 
> Simon.
> 
> -- 
> Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
> Microsoft: Bringing you 1980s technology to a 21st century world