>> BTW, I now have my licences so thanks to everyone for their comments.
>>
>
> What? You're thanking me for my comments? Interesting ....
>
I obviously mentally filtered you out David. :-)
> Let me throw another scenario at you, one that I'm sure exists at more than one
> user site.
>
> Say some site is still running an old version of VMS. V6.2, V7.2, whatever, but
> a version that is no longer supported. Also say that for whatever reason, and
> it doesn't matter what reason, the site just cannot upgrade the OS version.
>
> Then you find a vulnerability. One that affects all versions of VMS. You
> report it, and a fix is promptly developed and distributed to everyone running
> the latest version, and whatever earlier versions still under support, or even
> versions where the fix can be used. However, the fix will not work with say
> V6.2, and VSI / HPE says to you, "These customers cannot upgrade, and there is
> no fix for the vulnerability for them. They have been notified. Please for
> their sake do not disclose the vulnerability."
>
> What would you do?
After the patch has been released and hence the disclosure waiting
period has expired then the vulnerability gets released, end of story,
unless an additional _short_ extension period, in addition to the one
detailed below, is requested while the sites in question implement
additional security measures. If the latter request was made of me,
I would probably go along with it.
You should also be aware that I have decided that if I ever did find
something, then there would be a short period anyway after the patch
was released (up to about a month) before the details were released.
This additional time is to allow people a short period of time to
install the patch in a controlled manner instead of them having to
race to install patches on the same day as the details become available.
The one thing I can't seem to make you understand David is that this
is not some exclusive-or situation. Both the "good" people and the "bad"
people can know about the same vulnerability at the same time.
People also know that there's a vulnerability to be found because
it's now in a MUP patch for the currently supported customers.
If releasing the vulnerability information after the patch becomes
available causes them security problems which they cannot resolve,
then they were wide open from a security viewpoint anyway.
This is exactly the same problem as those who are continuing to run
Windows XP systems in production in 2017. If you have not isolated
your XP machines from the wider Internet or your own internal networks,
then you are being grossly irresponsible by running a known insecure
version of an operating system on your network.