Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

About IBM

M
MustLive
Sun, May 27, 2012 8:50 PM

Hello guys!

I have a question for you about IBM. Does anybody has successfully contacted
them, when they officially answered and fixed vulnerabilities in their
software, since Leandro Meiners (since 2005)?

When I've informed them many times in 2006-2008 concerning multiple
vulnerabilities at multiple web sites of IBM and IBM ISS, they just ignored
and not fixed or some of them first ignored and later hiddenly fixed. But it
were their sites and I was hoping that concerning their software products
they have different behavior.

But when last week, during 16.05-20.05, I've sent five advisories to IBM
concerning multiple vulnerabilities, which I have found (in May during
pentest) in IBM Lotus Notes and Domino and IBM Lotus Notes Traveler, they
just ignored. So they've demonstrated the same behavior, as concerning
their web sites. And there are a lot of Cross-Site Scripting, Information
Leakage, Brute Force, Insufficient Authentication, Cross-Site Request
Forgery, Redirector and HTTP Response Splitting vulnerabilities in their
software, which I've informed them about. Which can be used for full
compromise of the server and the network of those, who use IBM's software
(as it was done during my pentest).

After the fourth e-mail to IBM security department, when there were still no
answers from them, I've resent the fourth letter to their support (hoping
that they would be more serious). The support answered on the next day very
funny, not the same lame as Cisco answered me in 2008 concerning
vulnerabilities at their sites (which I considered as most lamest vendor
response, much more then those nominees on Pwnie Awards), but still not
serious enough. The letter was "standard one", that they are in receipt of
my e-mail reporting and apologize for any inconvenience I may have
experienced. When I've drew support's attention, that I've wrote already
five letters to their security department (and just one sent to support)
about multiple vulnerabilities in their software products and haven't
received any answers from them, and I had "no issues with working with
their software" (as he tried to state in his letter), then I've received
another letter from other IBM employee, which wrote the same "standard
phrases" and added that for informing about issues with software I can call
them by phone :-). And already week after that there is still no answers
from them (as it was predictable since 16.05). This is how IBM caring about
security of their software, particularly Lotus Notes and Domino and Lotus
Notes Traveler.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Hello guys! I have a question for you about IBM. Does anybody has successfully contacted them, when they officially answered and fixed vulnerabilities in their software, since Leandro Meiners (since 2005)? When I've informed them many times in 2006-2008 concerning multiple vulnerabilities at multiple web sites of IBM and IBM ISS, they just ignored and not fixed or some of them first ignored and later hiddenly fixed. But it were their sites and I was hoping that concerning their software products they have different behavior. But when last week, during 16.05-20.05, I've sent five advisories to IBM concerning multiple vulnerabilities, which I have found (in May during pentest) in IBM Lotus Notes and Domino and IBM Lotus Notes Traveler, they just ignored. So they've demonstrated the same behavior, as concerning their web sites. And there are a lot of Cross-Site Scripting, Information Leakage, Brute Force, Insufficient Authentication, Cross-Site Request Forgery, Redirector and HTTP Response Splitting vulnerabilities in their software, which I've informed them about. Which can be used for full compromise of the server and the network of those, who use IBM's software (as it was done during my pentest). After the fourth e-mail to IBM security department, when there were still no answers from them, I've resent the fourth letter to their support (hoping that they would be more serious). The support answered on the next day very funny, not the same lame as Cisco answered me in 2008 concerning vulnerabilities at their sites (which I considered as most lamest vendor response, much more then those nominees on Pwnie Awards), but still not serious enough. The letter was "standard one", that they are in receipt of my e-mail reporting and apologize for any inconvenience I may have experienced. When I've drew support's attention, that I've wrote already five letters to their security department (and just one sent to support) about multiple vulnerabilities in their software products and haven't received any answers from them, and I had "no issues with working with their software" (as he tried to state in his letter), then I've received another letter from other IBM employee, which wrote the same "standard phrases" and added that for informing about issues with software I can call them by phone :-). And already week after that there is still no answers from them (as it was predictable since 16.05). This is how IBM caring about security of their software, particularly Lotus Notes and Domino and Lotus Notes Traveler. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Empathy v1.0   2024 ©Harmonylists.com