[WEB SECURITY] About IBM: results

Christian Heinrich christian.heinrich at cmlh.id.au
Fri Jul 20 04:22:56 EDT 2012


irony :)

On Thu, Jul 19, 2012 at 6:50 AM, MustLive <mustlive at websecurity.com.ua> wrote:
> Hello guys!
> In May I've wrote to the list about case of how IBM handle information about
> vulnerabilities in their software. Here is the summary of my two months
> conversation with IBM PSIRT and other employees of this company. I was
> planning to end up this story on pessimistic note, but last night, when I
> was planning to write this letter to the list, I've received answer from
> IBM, so the summary was updated ;-). And in result we have additional delay
> in this process - IBM just can get enough. But I hope that this story will
> end up optimistically.
> Thanks for all participants of both security lists, who gave their thoughts
> on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
> Heinrich and Chintan Dave. I've answered privately to them concerning their
> thoughts and in short, I wanted to try to communicate with IBM, without fast
> full disclosures, to solve these vulnerabilities, and would disclose them
> only synchronously with IBM or after some time if they lamerly ignored them.
> As I've told them, I'd write to the list about results of this epopee. At
> first I was planning to write about this epopee in June, but it was delayed
> because of IBM. Here is quick summary.
> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there is
> still no info from developers, so wait please (until they will format their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.
> This story with IBM reminds me Santa Barbara TV series :-) (looks like they
> love soap operas). So we'll be waiting for the fixes from IBM.

Christian Heinrich


More information about the websecurity mailing list