[Info-vax] OpenVMS Security (was Re: VSI strategy for OpenVMS)

[Simon Clubley]

On 2021-09-16, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>
> AFAIK, none have gotten (valid) CVEs logged against OpenVMS, which is 
> why CVE counts and related cross-platform comparisons are problematic.
>

When it comes to CVEs, there are also some things VSI can do at the
non-technical level:

1) Provide a secure and published way for vulnerabilities to be reported.

2) Confirm that if vulnerabilities are reported, VSI will _promptly_
apply for CVE(s) as required once the issue has been confirmed.

3) Confirm that, once the patch has been published, they will at the
same time publish a public reference for the CVE(s) so that Mitre can
unlock any CVE(s) and publish the CVE(s) at the same time the patch is
released.

External security researchers are likely to hold VSI to a higher standard
than they have been held to so far by people from within the VMS community,
especially given the marketing language that VSI management are so fond of.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.