[Info-vax] A new VMS?

Arne Vajhøj arne at vajhoej.dk
Sun May 2 11:40:28 EDT 2021 

On 5/1/2021 11:46 PM, Simon Clubley wrote:
> On 2021-05-01, David Turner <dturner at islandco.com> wrote:
>> Support?
>>
>> PARSEC
>>
>> BRUDEN
>>
>> SECTOR 7
> 
> I don't see how this is a viable option.
> 
> The typical timeline for a security issue these days goes something
> like this, assuming that VSI management were to follow responsible
> disclosure procedures (yeah, yeah, I know...):
> 
> Security researcher reports an issue to VSI (probably to one of the VSI
> people directly as VSI doesn't have a security reporting mechanism)
> and gives them a maximum of 90 days to fix the issue before revealing
> the details.
> 
> VSI investigates, confirms the issue over the next few days and
> requests a CVE.
> 
> VSI works on a patch, releases it within the 90 days and provides a
> public reference for the patch so the CVE can be updated with a
> summary of the vulnerability and made public. This is the first point
> at which the above companies will know there is a security issue which
> needs fixing.
> 
> Security researcher either then releases the details immediately after
> the patch is released or they give users a little bit of time (up to
> a month or so) to install the patch.
> 
> Question: how can the above support companies possibly develop and
> release their own patch for the security issue immediately after the
> VSI patch is released ?
> 
> They may not have the vulnerability details if the researcher holds
> off for a while before releasing them and they certainly don't have
> an up to date buildable copy of the VMS sources which are used to
> build the VSI releases.
> 
> In that situation, how could they possibly be an alternative to VSI
> support ?
>

For closed source all support vendors are not created equal.

The one with the source has some advantages.

>> Numerous large companies like Park Place, IBM, etc etc etc
> 
> IBM does VMS support ?

Never heard about it.

But I can not see why the consultant branch of IBM should turn
down money to do VMS support. Their business is to provide what the
customers are wiling to pay for.

Arne

More information about the Info-vax mailing list