M
MustLive
Wed, Jul 18, 2012 8:50 PM
Hello guys!
In May I've wrote to the list about case of how IBM handle information about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but last night, when I
was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional delay
in this process - IBM just can get enough. But I hope that this story will
end up optimistically.
Thanks for all participants of both security lists, who gave their thoughts
on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
Heinrich and Chintan Dave. I've answered privately to them concerning their
thoughts and in short, I wanted to try to communicate with IBM, without fast
full disclosures, to solve these vulnerabilities, and would disclose them
only synchronously with IBM or after some time if they lamerly ignored them.
As I've told them, I'd write to the list about results of this epopee. At
first I was planning to write about this epopee in June, but it was delayed
because of IBM. Here is quick summary.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything, not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers, so wait please (until they will format their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.
This story with IBM reminds me Santa Barbara TV series :-) (looks like they
love soap operas). So we'll be waiting for the fixes from IBM.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Hello guys!
In May I've wrote to the list about case of how IBM handle information about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but last night, when I
was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional delay
in this process - IBM just can get enough. But I hope that this story will
end up optimistically.
Thanks for all participants of both security lists, who gave their thoughts
on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
Heinrich and Chintan Dave. I've answered privately to them concerning their
thoughts and in short, I wanted to try to communicate with IBM, without fast
full disclosures, to solve these vulnerabilities, and would disclose them
only synchronously with IBM or after some time if they lamerly ignored them.
As I've told them, I'd write to the list about results of this epopee. At
first I was planning to write about this epopee in June, but it was delayed
because of IBM. Here is quick summary.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything, not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers, so wait please (until they will format their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.
This story with IBM reminds me Santa Barbara TV series :-) (looks like they
love soap operas). So we'll be waiting for the fixes from IBM.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
SJ
steve jensen
Wed, Jul 18, 2012 9:20 PM
Nice to see IBM is open to hearing from people regarding vulnerabilities. Unfortunately, when I've attempted "responsible" disclosure with a company, I'm always threatened with a lawsuit.
From: mustlive@websecurity.com.ua
To: websecurity@lists.webappsec.org
Date: Wed, 18 Jul 2012 23:50:17 +0300
Subject: [WEB SECURITY] About IBM: results
Hello guys!
In May I've wrote to the list about case of how IBM handle information about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but last night, when I
was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional delay
in this process - IBM just can get enough. But I hope that this story will
end up optimistically.
Thanks for all participants of both security lists, who gave their thoughts
on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
Heinrich and Chintan Dave. I've answered privately to them concerning their
thoughts and in short, I wanted to try to communicate with IBM, without fast
full disclosures, to solve these vulnerabilities, and would disclose them
only synchronously with IBM or after some time if they lamerly ignored them.
As I've told them, I'd write to the list about results of this epopee. At
first I was planning to write about this epopee in June, but it was delayed
because of IBM. Here is quick summary.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything, not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers, so wait please (until they will format their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.
This story with IBM reminds me Santa Barbara TV series :-) (looks like they
love soap operas). So we'll be waiting for the fixes from IBM.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Nice to see IBM is open to hearing from people regarding vulnerabilities. Unfortunately, when I've attempted "responsible" disclosure with a company, I'm always threatened with a lawsuit.
> From: mustlive@websecurity.com.ua
> To: websecurity@lists.webappsec.org
> Date: Wed, 18 Jul 2012 23:50:17 +0300
> Subject: [WEB SECURITY] About IBM: results
>
> Hello guys!
>
> In May I've wrote to the list about case of how IBM handle information about
> vulnerabilities in their software. Here is the summary of my two months
> conversation with IBM PSIRT and other employees of this company. I was
> planning to end up this story on pessimistic note, but last night, when I
> was planning to write this letter to the list, I've received answer from
> IBM, so the summary was updated ;-). And in result we have additional delay
> in this process - IBM just can get enough. But I hope that this story will
> end up optimistically.
>
> Thanks for all participants of both security lists, who gave their thoughts
> on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
> Heinrich and Chintan Dave. I've answered privately to them concerning their
> thoughts and in short, I wanted to try to communicate with IBM, without fast
> full disclosures, to solve these vulnerabilities, and would disclose them
> only synchronously with IBM or after some time if they lamerly ignored them.
> As I've told them, I'd write to the list about results of this epopee. At
> first I was planning to write about this epopee in June, but it was delayed
> because of IBM. Here is quick summary.
>
> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there is
> still no info from developers, so wait please (until they will format their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.
>
> This story with IBM reminds me Santa Barbara TV series :-) (looks like they
> love soap operas). So we'll be waiting for the fixes from IBM.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
CH
Christian Heinrich
Fri, Jul 20, 2012 8:22 AM
Hello guys!
In May I've wrote to the list about case of how IBM handle information about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but last night, when I
was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional delay
in this process - IBM just can get enough. But I hope that this story will
end up optimistically.
Thanks for all participants of both security lists, who gave their thoughts
on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
Heinrich and Chintan Dave. I've answered privately to them concerning their
thoughts and in short, I wanted to try to communicate with IBM, without fast
full disclosures, to solve these vulnerabilities, and would disclose them
only synchronously with IBM or after some time if they lamerly ignored them.
As I've told them, I'd write to the list about results of this epopee. At
first I was planning to write about this epopee in June, but it was delayed
because of IBM. Here is quick summary.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything, not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers, so wait please (until they will format their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.
This story with IBM reminds me Santa Barbara TV series :-) (looks like they
love soap operas). So we'll be waiting for the fixes from IBM.
Eugene,
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-July/008455.html
irony :)
On Thu, Jul 19, 2012 at 6:50 AM, MustLive <mustlive@websecurity.com.ua> wrote:
> Hello guys!
>
> In May I've wrote to the list about case of how IBM handle information about
> vulnerabilities in their software. Here is the summary of my two months
> conversation with IBM PSIRT and other employees of this company. I was
> planning to end up this story on pessimistic note, but last night, when I
> was planning to write this letter to the list, I've received answer from
> IBM, so the summary was updated ;-). And in result we have additional delay
> in this process - IBM just can get enough. But I hope that this story will
> end up optimistically.
>
> Thanks for all participants of both security lists, who gave their thoughts
> on this matter. In the WASC Mailing List these were Martin O'Neal, Christian
> Heinrich and Chintan Dave. I've answered privately to them concerning their
> thoughts and in short, I wanted to try to communicate with IBM, without fast
> full disclosures, to solve these vulnerabilities, and would disclose them
> only synchronously with IBM or after some time if they lamerly ignored them.
> As I've told them, I'd write to the list about results of this epopee. At
> first I was planning to write about this epopee in June, but it was delayed
> because of IBM. Here is quick summary.
>
> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there is
> still no info from developers, so wait please (until they will format their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.
>
> This story with IBM reminds me Santa Barbara TV series :-) (looks like they
> love soap operas). So we'll be waiting for the fixes from IBM.
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
M
MustLive
Sun, Jul 22, 2012 8:55 PM
Christian, yes.
It's fun case. This is "official" answer of IBM on this matter B-).
Maybe in summer IBM just have a lot of employees on vocation, which is the
reason, why their PSIRT and Lotus developers very slowly handle with these
holes. I've spent few days to find those multiple holes in multiple IBM
products (and mentioned to them, that there are much more holes, that I've
wrote to them in five advisories), and already for more then 2 months they
"can't get enough" and I hadn't received any concrete answers from them (no
terms, nothing at all, except ask to wait for their response).
I've seen many cases of autoresponders from participants of security mailing
lists. And the interesting is that most of all I saw exactly autoresponders
from IBM employees :-). It looks like a lot of them have vocations or
business trips all the year round.
As I see, this auto-letter get to the list due to last Robert's changes
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-July/008441.html).
P.S.
Besides, earlier you told me to send information to FIRST Members. And among
them there is US CERT. Recently Jeffrey Walton recommend me to send this
data to US CERT.
So, I can do it. I will send all data to US CERT in case if IBM still ignore
to fix it, or I can even send to them alongside with IBM's announcements.
Best wishes & regards,
Eugene Dokukin aka MustLive
http://websecurity.com.ua
----- Original Message -----
From: "Christian Heinrich" christian.heinrich@cmlh.id.au
To: "MustLive" mustlive@websecurity.com.ua
Cc: websecurity@lists.webappsec.org
Sent: Friday, July 20, 2012 11:22 AM
Subject: Re: [WEB SECURITY] About IBM: results
Hello guys!
In May I've wrote to the list about case of how IBM handle information
about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but last night, when I
was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional
delay
in this process - IBM just can get enough. But I hope that this story
will
end up optimistically.
Thanks for all participants of both security lists, who gave their
thoughts
on this matter. In the WASC Mailing List these were Martin O'Neal,
Christian
Heinrich and Chintan Dave. I've answered privately to them concerning
their
thoughts and in short, I wanted to try to communicate with IBM, without
fast
full disclosures, to solve these vulnerabilities, and would disclose them
only synchronously with IBM or after some time if they lamerly ignored
them.
As I've told them, I'd write to the list about results of this epopee. At
first I was planning to write about this epopee in June, but it was
delayed
because of IBM. Here is quick summary.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything,
not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there
is
still no info from developers, so wait please (until they will format
their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers
have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and
said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they
just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.
This story with IBM reminds me Santa Barbara TV series :-) (looks like
they
love soap operas). So we'll be waiting for the fixes from IBM.
Christian, yes.
It's fun case. This is "official" answer of IBM on this matter B-).
Maybe in summer IBM just have a lot of employees on vocation, which is the
reason, why their PSIRT and Lotus developers very slowly handle with these
holes. I've spent few days to find those multiple holes in multiple IBM
products (and mentioned to them, that there are much more holes, that I've
wrote to them in five advisories), and already for more then 2 months they
"can't get enough" and I hadn't received any concrete answers from them (no
terms, nothing at all, except ask to wait for their response).
I've seen many cases of autoresponders from participants of security mailing
lists. And the interesting is that most of all I saw exactly autoresponders
from IBM employees :-). It looks like a lot of them have vocations or
business trips all the year round.
As I see, this auto-letter get to the list due to last Robert's changes
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-July/008441.html).
P.S.
Besides, earlier you told me to send information to FIRST Members. And among
them there is US CERT. Recently Jeffrey Walton recommend me to send this
data to US CERT.
So, I can do it. I will send all data to US CERT in case if IBM still ignore
to fix it, or I can even send to them alongside with IBM's announcements.
Best wishes & regards,
Eugene Dokukin aka MustLive
http://websecurity.com.ua
----- Original Message -----
From: "Christian Heinrich" <christian.heinrich@cmlh.id.au>
To: "MustLive" <mustlive@websecurity.com.ua>
Cc: <websecurity@lists.webappsec.org>
Sent: Friday, July 20, 2012 11:22 AM
Subject: Re: [WEB SECURITY] About IBM: results
> Eugene,
>
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-July/008455.html
> irony :)
>
> On Thu, Jul 19, 2012 at 6:50 AM, MustLive <mustlive@websecurity.com.ua>
> wrote:
>> Hello guys!
>>
>> In May I've wrote to the list about case of how IBM handle information
>> about
>> vulnerabilities in their software. Here is the summary of my two months
>> conversation with IBM PSIRT and other employees of this company. I was
>> planning to end up this story on pessimistic note, but last night, when I
>> was planning to write this letter to the list, I've received answer from
>> IBM, so the summary was updated ;-). And in result we have additional
>> delay
>> in this process - IBM just can get enough. But I hope that this story
>> will
>> end up optimistically.
>>
>> Thanks for all participants of both security lists, who gave their
>> thoughts
>> on this matter. In the WASC Mailing List these were Martin O'Neal,
>> Christian
>> Heinrich and Chintan Dave. I've answered privately to them concerning
>> their
>> thoughts and in short, I wanted to try to communicate with IBM, without
>> fast
>> full disclosures, to solve these vulnerabilities, and would disclose them
>> only synchronously with IBM or after some time if they lamerly ignored
>> them.
>> As I've told them, I'd write to the list about results of this epopee. At
>> first I was planning to write about this epopee in June, but it was
>> delayed
>> because of IBM. Here is quick summary.
>>
>> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
>> site. No reaction from "IT security".
>> - At 20.05 I've contacted "Software support". Received formal answer.
>> - At 20.05 informed support, that this is security issues (not something
>> small, which they can just ignore) and they need to sent it to security
>> department. Again received formal answer - this time with "call me maybe"
>> paragraph :-). In result IBM employees just ignored.
>> - At 30.05, after recommendation from the list to contact directly, I've
>> contacted IBM PSIRT directly. They said they didn't received anything,
>> not
>> from me via contact form, nor from support. The same as they didn't do
>> anything (no security audit of their software) to make this multiple
>> vulnerabilities in multiple IBM software to go to the wild.
>> - At 31.05 I've resend five advisories, which they received and said they
>> would send them to the developers (of Lotus products).
>> - At 06.06, after silence from PSIRT, I've reminded them. They said there
>> is
>> still no info from developers, so wait please (until they will format
>> their
>> brains to work faster).
>> - At 10.07, after more then month of silence since last time from PSIRT,
>> I've reminded them. No answer from them. This looks like IBM developers
>> have
>> decided to ignore these vulnerabilities.
>> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
>> public disclosure of these vulnerabilities on July.
>> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and
>> said
>> that previous day they had meeting with developers, which were working on
>> these issues, and they started to fix them. No concrete deadline, they
>> just
>> started (and I'll be informed about the date, the same as they told me at
>> 31.05). OK, let's give them more time.
>>
>> This story with IBM reminds me Santa Barbara TV series :-) (looks like
>> they
>> love soap operas). So we'll be waiting for the fixes from IBM.
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
M
MustLive
Tue, Jul 31, 2012 8:55 PM
Hi Steve!
It's sad to hear that you've met such reaction from IBM. Did you have such
cases of threatening with a lawsuit from other companies?
Because I had no from IBM and they tried to be fine and gentle, without even
mentioning about lawsuit. First they was very slow, as I've mentioned in
previous letter, but last time they begun working faster and already fix
some holes (just part from all holes, which I've informed), and they were
planning to release updates in August.
Maybe they found hard to sue me in Ukraine :-) and suing you in Colorado,
USA is much easier for them. But as I've mentioned in the list in 2009 - in
my two articles "Hacking of web sites, security researches, disclosure and
legislation" - finding of vulnerabilities is completely legal.
Best wishes & regards,
Eugene Dokukin aka MustLive
http://websecurity.com.ua
----- Original Message -----
From: steve jensen
To: mustlive@websecurity.com.ua ; websecurity@lists.webappsec.org
Sent: Thursday, July 19, 2012 12:20 AM
Subject: RE: [WEB SECURITY] About IBM: results
Nice to see IBM is open to hearing from people regarding vulnerabilities.
Unfortunately, when I've attempted "responsible" disclosure with a company,
I'm always threatened with a lawsuit.
From: mustlive@websecurity.com.ua
To: websecurity@lists.webappsec.org
Date: Wed, 18 Jul 2012 23:50:17 +0300
Subject: [WEB SECURITY] About IBM: results
Hello guys!
In May I've wrote to the list about case of how IBM handle information
about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but last night, when I
was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional
delay
in this process - IBM just can get enough. But I hope that this story will
end up optimistically.
Thanks for all participants of both security lists, who gave their
thoughts
on this matter. In the WASC Mailing List these were Martin O'Neal,
Christian
Heinrich and Chintan Dave. I've answered privately to them concerning
their
thoughts and in short, I wanted to try to communicate with IBM, without
fast
full disclosures, to solve these vulnerabilities, and would disclose them
only synchronously with IBM or after some time if they lamerly ignored
them.
As I've told them, I'd write to the list about results of this epopee. At
first I was planning to write about this epopee in June, but it was
delayed
because of IBM. Here is quick summary.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything, not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there
is
still no info from developers, so wait please (until they will format
their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers
have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and
said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they
just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.
This story with IBM reminds me Santa Barbara TV series :-) (looks like
they
love soap operas). So we'll be waiting for the fixes from IBM.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Steve!
It's sad to hear that you've met such reaction from IBM. Did you have such
cases of threatening with a lawsuit from other companies?
Because I had no from IBM and they tried to be fine and gentle, without even
mentioning about lawsuit. First they was very slow, as I've mentioned in
previous letter, but last time they begun working faster and already fix
some holes (just part from all holes, which I've informed), and they were
planning to release updates in August.
Maybe they found hard to sue me in Ukraine :-) and suing you in Colorado,
USA is much easier for them. But as I've mentioned in the list in 2009 - in
my two articles "Hacking of web sites, security researches, disclosure and
legislation" - finding of vulnerabilities is completely legal.
Best wishes & regards,
Eugene Dokukin aka MustLive
http://websecurity.com.ua
----- Original Message -----
From: steve jensen
To: mustlive@websecurity.com.ua ; websecurity@lists.webappsec.org
Sent: Thursday, July 19, 2012 12:20 AM
Subject: RE: [WEB SECURITY] About IBM: results
Nice to see IBM is open to hearing from people regarding vulnerabilities.
Unfortunately, when I've attempted "responsible" disclosure with a company,
I'm always threatened with a lawsuit.
> From: mustlive@websecurity.com.ua
> To: websecurity@lists.webappsec.org
> Date: Wed, 18 Jul 2012 23:50:17 +0300
> Subject: [WEB SECURITY] About IBM: results
>
> Hello guys!
>
> In May I've wrote to the list about case of how IBM handle information
> about
> vulnerabilities in their software. Here is the summary of my two months
> conversation with IBM PSIRT and other employees of this company. I was
> planning to end up this story on pessimistic note, but last night, when I
> was planning to write this letter to the list, I've received answer from
> IBM, so the summary was updated ;-). And in result we have additional
> delay
> in this process - IBM just can get enough. But I hope that this story will
> end up optimistically.
>
> Thanks for all participants of both security lists, who gave their
> thoughts
> on this matter. In the WASC Mailing List these were Martin O'Neal,
> Christian
> Heinrich and Chintan Dave. I've answered privately to them concerning
> their
> thoughts and in short, I wanted to try to communicate with IBM, without
> fast
> full disclosures, to solve these vulnerabilities, and would disclose them
> only synchronously with IBM or after some time if they lamerly ignored
> them.
> As I've told them, I'd write to the list about results of this epopee. At
> first I was planning to write about this epopee in June, but it was
> delayed
> because of IBM. Here is quick summary.
>
> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there
> is
> still no info from developers, so wait please (until they will format
> their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers
> have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and
> said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they
> just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.
>
> This story with IBM reminds me Santa Barbara TV series :-) (looks like
> they
> love soap operas). So we'll be waiting for the fixes from IBM.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
