On Thu, Jul 19, 2012 at 9:31 AM, MustLive <[email protected]> wrote: > Hello guys! > > In May I've wrote to the list about case of how IBM handle information about > vulnerabilities in their software. Here is the summary of my two months > conversation with IBM PSIRT and other employees of this company. I was > planning to end up this story on pessimistic note, but previous night, when > I was planning to write this letter to the list, I've received answer from > IBM, so the summary was updated ;-). And in result we have additional delay > in this process - IBM just can get enough. But I hope that this story will > end up optimistically. > > ... > > - During 16.05-20.05 I've wrote five advisories via contact form at IBM > site. No reaction from "IT security". > - At 20.05 I've contacted "Software support". Received formal answer. > - At 20.05 informed support, that this is security issues (not something > small, which they can just ignore) and they need to sent it to security > department. Again received formal answer - this time with "call me maybe" > paragraph :-). In result IBM employees just ignored. > - At 30.05, after recommendation from the list to contact directly, I've > contacted IBM PSIRT directly. They said they didn't received anything, not > from me via contact form, nor from support. The same as they didn't do > anything (no security audit of their software) to make this multiple > vulnerabilities in multiple IBM software to go to the wild. > - At 31.05 I've resend five advisories, which they received and said they > would send them to the developers (of Lotus products). > - At 06.06, after silence from PSIRT, I've reminded them. They said there is > still no info from developers, so wait please (until they will format their > brains to work faster). > - At 10.07, after more then month of silence since last time from PSIRT, > I've reminded them. No answer from them. This looks like IBM developers have > decided to ignore these vulnerabilities. > - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan > public disclosure of these vulnerabilities on July. > - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said > that previous day they had meeting with developers, which were working on > these issues, and they started to fix them. No concrete deadline, they just > started (and I'll be informed about the date, the same as they told me at > 31.05). OK, let's give them more time. You could also send it to US Cert. I would bet many IBM customers subscribe to their mailings (even if the same customers don't subscribe to Full Disclosure).
I passed on stuff for Apple to US Cert since Apple did not address concerns for over a year. Many Apple customers, including those in Federal, will receive the US Cert _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
