[WEB SECURITY] About IBM: results

MustLive mustlive at websecurity.com.ua
Wed Jul 18 16:50:17 EDT 2012

Hello guys!

In May I've wrote to the list about case of how IBM handle information about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but last night, when I
was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional delay
in this process - IBM just can get enough. But I hope that this story will
end up optimistically.

Thanks for all participants of both security lists, who gave their thoughts
on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
Heinrich and Chintan Dave. I've answered privately to them concerning their
thoughts and in short, I wanted to try to communicate with IBM, without fast
full disclosures, to solve these vulnerabilities, and would disclose them
only synchronously with IBM or after some time if they lamerly ignored them. 
As I've told them, I'd write to the list about results of this epopee. At 
first I was planning to write about this epopee in June, but it was delayed 
because of IBM. Here is quick summary.

- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything, not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers, so wait please (until they will format their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.

This story with IBM reminds me Santa Barbara TV series :-) (looks like they
love soap operas). So we'll be waiting for the fixes from IBM.

Best wishes & regards,
Administrator of Websecurity web site

More information about the websecurity mailing list