I am currently having the same experience with IBM. Our team has discovered a crippling vulnerability (in a product in the Tivoli suite) and for months our IBM contacts have tried passing the buck if they respond at all. We plan on disclosing the vulnerability before long but we want to be sure that we run through the normal process before releasing the information to bugtraq.
Sonny Discini Senior Network Security Engineer -----Original Message----- From: Jedi/Sector One [mailto:[EMAIL PROTECTED] Sent: Friday, August 06, 2004 5:42 PM To: Michael Scheidell Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Anyone know IBM's security address? On Fri, Aug 06, 2004 at 05:11:19PM -0400, Michael Scheidell wrote: > Have a vulnerability in an IBM product. > sent alert to [EMAIL PROTECTED] [EMAIL PROTECTED] and [EMAIL PROTECTED], all > three bounced. Can anyone tell me the official address or procedure to > notify IBM? For AIX-releated flaws, the contact is [EMAIL PROTECTED] For other products... good luck. I also have a vulnerability in an IBM product but I wasn't able to get in touch with anyone. Online forms told me to call a number that is unreachable outside USA. The AIX security officer told me he would find the right contact but I never got anything else since. -- __ /*- Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
