[Info-vax] VMS and security research, was: Re: Questions and observations about OpenVMS

[Simon Clubley]

On 2021-03-07, Bill Gunshannon <bill.gunshannon at gmail.com> wrote:
>
> Retirement is boring.  I am thinking of playing with Kali Linux and
> Penetration Testing.  Maybe I'll make VMS my target and see what it
> says.  :-)
>

Go for it. Seriously.

I would ask that you and anyone else thinking of doing this follows
responsible disclosure practices however.

Basically, you give VSI 3 months to fix a vulnerability before you
release the details. Although you are not required to do the following,
I would also suggest that anyone who finds a vulnerability to also
give people an additional month after the patch has been released
(assuming the patch has been released within the deadline you set)
before you release any details. That is what I ended up doing, 

You are very unlikely to get a CVE if you just confirm that an
existing vulnerability is also a vulnerability on VMS. If you find
something unique and new that isn't already known about, you should
get a CVE from VSI for that however.

How easy that will be to get from VSI these days, and along with
a prompt public reference on their website so Mitre can mark the
CVE as public, I do not know. Hopefully, things will have improved
over the last 3 years.

VSI do not have a way to securely report vulnerabilities, so you
will have to find another method, such as one of the email addresses
listed on their website, to report any vulnerabilities.

Happy (responsible) vulnerability hunting. :-)

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.