[WEB SECURITY] About IBM: results

MustLive mustlive at websecurity.com.ua
Tue Jul 31 16:55:48 EDT 2012

Hi Steve!

It's sad to hear that you've met such reaction from IBM. Did you have such 
cases of threatening with a lawsuit from other companies?

Because I had no from IBM and they tried to be fine and gentle, without even 
mentioning about lawsuit. First they was very slow, as I've mentioned in 
previous letter, but last time they begun working faster and already fix 
some holes (just part from all holes, which I've informed), and they were 
planning to release updates in August.

Maybe they found hard to sue me in Ukraine :-) and suing you in Colorado, 
USA is much easier for them. But as I've mentioned in the list in 2009 - in 
my two articles "Hacking of web sites, security researches, disclosure and 
legislation" - finding of vulnerabilities is completely legal.

Best wishes & regards,
Eugene Dokukin aka MustLive

----- Original Message ----- 
From: steve jensen
To: mustlive at websecurity.com.ua ; websecurity at lists.webappsec.org
Sent: Thursday, July 19, 2012 12:20 AM
Subject: RE: [WEB SECURITY] About IBM: results

Nice to see IBM is open to hearing from people regarding vulnerabilities. 
Unfortunately, when I've attempted "responsible" disclosure with a company, 
I'm always threatened with a lawsuit.

> From: mustlive at websecurity.com.ua
> To: websecurity at lists.webappsec.org
> Date: Wed, 18 Jul 2012 23:50:17 +0300
> Subject: [WEB SECURITY] About IBM: results
> Hello guys!
> In May I've wrote to the list about case of how IBM handle information 
> about
> vulnerabilities in their software. Here is the summary of my two months
> conversation with IBM PSIRT and other employees of this company. I was
> planning to end up this story on pessimistic note, but last night, when I
> was planning to write this letter to the list, I've received answer from
> IBM, so the summary was updated ;-). And in result we have additional 
> delay
> in this process - IBM just can get enough. But I hope that this story will
> end up optimistically.
> Thanks for all participants of both security lists, who gave their 
> thoughts
> on this matter. In the WASC Mailing List these were Martin O'Neal, 
> Christian
> Heinrich and Chintan Dave. I've answered privately to them concerning 
> their
> thoughts and in short, I wanted to try to communicate with IBM, without 
> fast
> full disclosures, to solve these vulnerabilities, and would disclose them
> only synchronously with IBM or after some time if they lamerly ignored 
> them.
> As I've told them, I'd write to the list about results of this epopee. At
> first I was planning to write about this epopee in June, but it was 
> delayed
> because of IBM. Here is quick summary.
> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there 
> is
> still no info from developers, so wait please (until they will format 
> their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers 
> have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and 
> said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they 
> just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.
> This story with IBM reminds me Santa Barbara TV series :-) (looks like 
> they
> love soap operas). So we'll be waiting for the fixes from IBM.
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org 

More information about the websecurity mailing list