Why Submit?
At VMS, safeguarding the security of our products and services is paramount. We recognize the importance of promptly addressing any potential security vulnerabilities that may arise. If you believe you have discovered a security vulnerability in any VMS software product, we encourage you to report it to our Security Team immediately.
Information Recommended for Vulnerability Submissions
To help us address security vulnerabilities efficiently, please include the following details in your secure message, if available:
- Contact information.
- Vulnerability type including the name and version of the affected component (e.g., software, firmware). If OpenVMS patches or updates you have installed.
- Root cause including details about the environment where the vulnerability was discovered (e.g., operating system version, hardware).
- Steps to reproduce the vulnerability, if known.
- Potential impact of the vulnerability if exploited.
- Estimated severity of the issue using CVSS standards.
- Any proposed recommendations for fixing the issue.
The CVE reporting path is for security issues originating in the OpenVMS operating systems and VSI layered products. VSI reserves the right to ignore all other emails sent to that inbox, including questions about particular CVEs being fixed in a pariclar release (please address such questions to Support).
If VSI engineering determines that the issue reported does not constitute a vulnerability, VSI may reject the report.
How to Report a Security Vulnerability
VMS Security utilizes OpenPGP encryption for secure communication. You can download our public PGP key below and send it to securityvulnerabilityreports@vmssoftware.com. To report a suspected security vulnerability, please send a secure message to our team. You can encrypt your message using our PGP key to ensure secure communication using the instructions below.
PGP Encryption Instructions:
- Upload your public PGP key here.
- Download our public key here.
- Within your email tool, encrypt your secure message containing the vulnerability submission contents above using inline
- Send email to securityvulnerabilityreports@vmssoftware.com
- Please do not supply attachments at this time
Who Receives Security Vulnerability Requests?
Only a select group of authorized VMS employees, have access to emails sent to securityvulnerabilityreports@vmssoftware.com. Your communication with us will be handled confidentially.
Our Response Process
Upon receiving your report, we will acknowledge receipt within three working days. For complex issues requiring further investigation, we will provide updates on our progress as we work to find resolution. When the vulnerability is fixed we will follow up as well.
Confidentiality
Any contact information shared with VMS regarding security vulnerabilities is treated with strict confidentiality and is not disclosed to third parties. If the security vulnerability is determined to be a widescale issue we will report and communicate through official channels, but your information and identity will remain anonymous.
Existing CVEs You can see the list of CVEs that have been reported anf fixed here.
Notifications and Updates
VMS does not offer an advance notification service for security advisories. However, security advisories and updates are regularly posted on our website, distributed through our customer portal, and communicated to customers via email.
Thank you for your commitment to helping us maintain the security of VMS products and services. We value your contributions in keeping our systems safe and secure.