[Info-vax] VSI OpenVMS Hobbyist Program Announced.

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Sat Jun 15 13:04:42 EDT 2019 

On 2019-06-15, Terry Kennedy <terry-groups at glaver.org> wrote:
>
> Personally, I don't mind
> paying a small annual fee to cover my part of that, particularly if it came
> with the ability to send bug reports "over the wall" so a developer would
> read them (without any commitment to answer or fix the issue - but
> hobbyists have found a fair number of bugs in the past and had no way to
> get HPaqital to even look at them, unless they had a commercial support
> agreement at their place of employment).
>

That bug reporting issue falls into two categories: non-security bugs
and security bugs.

Reporting non-security bugs is how you describe, but reporting
security related bugs has very specific standards and both HPE
and VSI _are_ expected to respond to you, and in a reasonable
amount of time, when you report a security related bug regardless
of whether you are a customer or not.

HPE/VSI are also expected to actually fix security related bugs within
a reasonable amount of time, usually about 90 days. You don't get the
fix for free simply because you reported it, but the fix should be
available for HPE/VSI customers to download and apply by the end of
that period.

Anyone reporting a confirmed security issue should also ask for a CVE
to be assigned, and for a public reference document to be made available
that can be referenced from the CVE, so the issue is documented.

For HPE, if anyone has a confirmed security bug which is exploitable
on Itanium, send it via the normal HPE security reporting mechanisms.

The situation for VSI is much more difficult however for non-customers
because VSI appear to have removed the security reporting mechanism
they eventually placed on their website after I told them (many times)
they needed one.

I certainly don't see anything on VSI's contact page. Can anyone else
see where VSI may have placed it if it is still online ?

_If_ it has been removed from the VSI website, then I really don't know
what on earth VSI are playing at here. :-(

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list