[Info-vax] VSI Community License Program - x86

[Arne Vajhøj]

On 4/14/2023 8:37 AM, Simon Clubley wrote:
> VSI has just had an excellent writeup in The Register, and instead of
> moving full steam ahead in response to that and giving a wide range of
> people access to x86-64 VMS, so they can play with it, VSI turn around
> and say we will gradually allow access over a 3 _month_ period. :-( WTF ???

It would be nice if that happened a bit faster.

1000 people at 100 per day is just 10 days.

> Oh, and according to that email, you are not allowed to contact them
> other than through the community forum, and if you do, your responses
> will be initially ignored and your access eventually blocked.

They don't want their support channel for paying customers blocked
by 500 hobbyists having problems with their PC or their VM software
or their network or whatever.

I think that is both reasonable and standard for community licenses.

> So what is someone who finds a vulnerability in all this new code expected
> to do ? Just post in the forum and hope no one does something bad with it ?
> Contacting VSI privately, and via the customer portal which they don't
> want you to use, is exactly the kind of way security issues should be
> reported - securely in private and via a formal mechanism.

VSI should have an official channel for reporting security
vulnerabilities.

But if not then those finding the vulnerabilities would
need to find a path.

One option is to use the other channels and assume VSI does
distinguish between "There is a remote code execution vulnerability
in product XYZ" report and "When I try to install VMS in VM ABC on
laptop FooBar I get error message XXXXXX" reports.

Another option would be to post in the community forum "Hi VSI - I think
I found a serious security vulnerability - please email me to get
details.".

I suspect that it is easier to get hold of VSI than to find a
serious security vulnerability.

Arne