Look at how fast Linux patches issues, all in the face of public scrutiny. They have embraced open public feedback as the quickest way to escalate important security issues
Microsoft are now not far behind and have gone down the open disclosure path
Public disclosure of security issues has multiple effects
1. It creates customer awareness of the severity of the issue and from that they can quickly assess if they are exposed
2. It keeps vendors on their toes and ensures they cannot simply brush it under the table waiting for a critical mass of customers to report it before acting (i.e it tempers bean counters involvement)
3. It acts as an external audit
Rather than people whinging and bitching over security vonrabilities being made public, which is nothing more than hoping no one sees your dirty laundry being aired, how about spending the time and effort into fast frictionless reporting processes of the same so that the community can provide the quickest feedback possible and have that information broadcast in increasing circles of notification as quickly as possible?
Maybe, just maybe, OpenVMS may take back the security crown doing these sorts of things
A security problem left open because some vendor tried to quell a known issue through trying to restrict the information flow is a vendor who's storing up a whole lot of hurt for their product and their customers
The public are moving on from looking down their nose at systems with security issues to accepting that staying secure is a vision and something in constant flux as long as those system vendors are seen to act quickly when an issue is raised. People expect live protection, ongoing protection, they realise it's a moving target now. They are looking to their vendors to act as quickly as possible to a raised issue, they don't care who reported it, they care that it gets fixed ASAP
It's not about waiting for some vendor to announce they have found something, it's about using a 360 degree model to be notified of issues ASAP. Who gives a toss where the vulnerability is announced from, what's important is being notified as quickly as possible and then have your vendor patch it as quick as possible to reduce your exposure
HP imo went totally the wrong way with removing VMS patches. They removed the ability of the community to report back issues found which ultimately turned the hobbyist program into pretty much a useless source for real world testing (i.e. I've seen plenty of posts from hobbyists saying they found a bug only to have someone tell them that was fixed in patch xyz). The community is the greatest testing ground ever. Learn from Google!!!
VMS and the mindset of some of its community really needs to move on from the notion that "Security by Obseurity" is a good model. It's not, the world is a hell of a lot more sophisticated than that now and anyone pushing that model clearly is out of touch with the security landscape out there
VMS needs to rebuild it's security model from the ground up, including reporting tracks and fast and open rapid security information dissemination.
Look how long unencrypted SCS traffic has existed for!
This sort of crap should have been fixed donkeys years ago but has persisted longer than it should have because of complancy of vendors and customers and because the vendor drove the pace of security and not the customer nor the market place
Time to move on and create a culture of security where securitu issues are given top priority and where the VMS community and open feedback are seen as the driving force behind securing VMS systems
You won't do this if information is squirreled away in some secret dossier that only gets revealed to secret squirrel members who promise only to whisper to others who can perform the secret squirrel handshake
VMS and it's community should be the source of security dissemination and onlookers could be looking in saying "shit, that VMS OS and it's community certainly know security, wish our OS could do that...". This could be a differentiator
Or we can continue to live in the VMS "security library", you know, "shhhh, don't say that out loud, sometime might hear VMS has a security issue". *sigh*
Maybe one day we can say things like...
VMS, Security Secured through Community