Simon Clubley
2016-08-15 12:39:19 UTC
Should VSI create a security bug bounty program for VMS ?
I think there could be a number of advantages to this, provided
people in the VMS community were prepared to deal with any bugs
found in a responsible manner and not shout down any reporters.
The correct model should be a Responsible Disclosure model IMHO
so that VSI get the chance to fix the problems but also so that
any issues found are not swept under the carpet and hidden. This
also means the VMS community can discuss the implications of any
issues found as they relate to the design of VMS.
Likewise I would expect any discovered issues to be assigned CVE
numbers rather than being silently fixed in a patch without
telling the world about the issue. That's the standard for other
products and it should be the standard for VMS as well.
I would suggest a 30 day disclosure target for simple issues to
60 days for more complex issues. If something exposes a complicated
design flaw in VMS (say for example you did something clever to
get to the kernel via RMS) then extending the disclosure period
to 4-6 months would be acceptable but this disclosure period
duration should only be used when justified by the specific issue.
The bug bounty program should only apply to products shipped by
VSI (including any layered products with security implications)
and not to any third party products such as WASD which are
downloaded by the end user.
Just to be clear: I'm not associated with VSI in any way. I just
want to see what the community thinks about this.
Simon.
I think there could be a number of advantages to this, provided
people in the VMS community were prepared to deal with any bugs
found in a responsible manner and not shout down any reporters.
The correct model should be a Responsible Disclosure model IMHO
so that VSI get the chance to fix the problems but also so that
any issues found are not swept under the carpet and hidden. This
also means the VMS community can discuss the implications of any
issues found as they relate to the design of VMS.
Likewise I would expect any discovered issues to be assigned CVE
numbers rather than being silently fixed in a patch without
telling the world about the issue. That's the standard for other
products and it should be the standard for VMS as well.
I would suggest a 30 day disclosure target for simple issues to
60 days for more complex issues. If something exposes a complicated
design flaw in VMS (say for example you did something clever to
get to the kernel via RMS) then extending the disclosure period
to 4-6 months would be acceptable but this disclosure period
duration should only be used when justified by the specific issue.
The bug bounty program should only apply to products shipped by
VSI (including any layered products with security implications)
and not to any third party products such as WASD which are
downloaded by the end user.
Just to be clear: I'm not associated with VSI in any way. I just
want to see what the community thinks about this.
Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world