[WEB SECURITY] About IBM: results

steve jensen sjensen1207 at hotmail.com
Wed Jul 18 17:20:57 EDT 2012


Nice to see IBM is open to hearing from people regarding vulnerabilities. Unfortunately, when I've attempted "responsible" disclosure with a company, I'm always threatened with a lawsuit.

> From: mustlive at websecurity.com.ua
> To: websecurity at lists.webappsec.org
> Date: Wed, 18 Jul 2012 23:50:17 +0300
> Subject: [WEB SECURITY] About IBM: results
> 
> Hello guys!
> 
> In May I've wrote to the list about case of how IBM handle information about
> vulnerabilities in their software. Here is the summary of my two months
> conversation with IBM PSIRT and other employees of this company. I was
> planning to end up this story on pessimistic note, but last night, when I
> was planning to write this letter to the list, I've received answer from
> IBM, so the summary was updated ;-). And in result we have additional delay
> in this process - IBM just can get enough. But I hope that this story will
> end up optimistically.
> 
> Thanks for all participants of both security lists, who gave their thoughts
> on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
> Heinrich and Chintan Dave. I've answered privately to them concerning their
> thoughts and in short, I wanted to try to communicate with IBM, without fast
> full disclosures, to solve these vulnerabilities, and would disclose them
> only synchronously with IBM or after some time if they lamerly ignored them. 
> As I've told them, I'd write to the list about results of this epopee. At 
> first I was planning to write about this epopee in June, but it was delayed 
> because of IBM. Here is quick summary.
> 
> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there is
> still no info from developers, so wait please (until they will format their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.
> 
> This story with IBM reminds me Santa Barbara TV series :-) (looks like they
> love soap operas). So we'll be waiting for the fixes from IBM.
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> 
> 
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20120718/85a0445a/attachment-0003.html>


More information about the websecurity mailing list