[Info-vax] OpenVMS Security (was Re: VSI strategy for OpenVMS)
Dave Froble
davef at tsoft-inc.com
Thu Sep 16 17:07:16 EDT 2021
On 9/16/2021 2:23 PM, Simon Clubley wrote:
> On 2021-09-16, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>>
>> AFAIK, none have gotten (valid) CVEs logged against OpenVMS, which is
>> why CVE counts and related cross-platform comparisons are problematic.
>>
>
> When it comes to CVEs, there are also some things VSI can do at the
> non-technical level:
>
> 1) Provide a secure and published way for vulnerabilities to be reported.
>
> 2) Confirm that if vulnerabilities are reported, VSI will _promptly_
> apply for CVE(s) as required once the issue has been confirmed.
>
> 3) Confirm that, once the patch has been published, they will at the
> same time publish a public reference for the CVE(s) so that Mitre can
> unlock any CVE(s) and publish the CVE(s) at the same time the patch is
> released.
>
> External security researchers are likely to hold VSI to a higher standard
> than they have been held to so far by people from within the VMS community,
> especially given the marketing language that VSI management are so fond of.
>
> Simon.
>
If a large number of people are aware of VSI marketing, then, that's a
positive thing, right?
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
More information about the Info-vax
mailing list