lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Jul 2012 16:31:31 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <full-disclosure@...ts.grok.org.uk> Subject: About IBM: results Hello guys! In May I've wrote to the list about case of how IBM handle information about vulnerabilities in their software. Here is the summary of my two months conversation with IBM PSIRT and other employees of this company. I was planning to end up this story on pessimistic note, but previous night, when I was planning to write this letter to the list, I've received answer from IBM, so the summary was updated ;-). And in result we have additional delay in this process - IBM just can get enough. But I hope that this story will end up optimistically. Thanks for all participants of Full-Disclosure and WASC Mailing List, who gave their thoughts on this matter. In the Full-Disclosure mailing list these were Ferenc Kovacs, Jeffrey Walton, Thomas Richards, Bzzz, garthoid and Leandro Meiners. I've answered privately to some of the people concerning their thoughts and to some answered bellow. And in short, I wanted to try to communicate with IBM, without fast full disclosures, to solve these vulnerabilities, and would disclose them only synchronously with IBM or after some time if they lamerly ignored them. As I've told to the people, I'd write to the list about results of this epopee. At first I was planning to write about this epopee in June, but it was delayed because of IBM. Here is quick summary. - During 16.05-20.05 I've wrote five advisories via contact form at IBM site. No reaction from "IT security". - At 20.05 I've contacted "Software support". Received formal answer. - At 20.05 informed support, that this is security issues (not something small, which they can just ignore) and they need to sent it to security department. Again received formal answer - this time with "call me maybe" paragraph :-). In result IBM employees just ignored. - At 30.05, after recommendation from the list to contact directly, I've contacted IBM PSIRT directly. They said they didn't received anything, not from me via contact form, nor from support. The same as they didn't do anything (no security audit of their software) to make this multiple vulnerabilities in multiple IBM software to go to the wild. - At 31.05 I've resend five advisories, which they received and said they would send them to the developers (of Lotus products). - At 06.06, after silence from PSIRT, I've reminded them. They said there is still no info from developers, so wait please (until they will format their brains to work faster). - At 10.07, after more then month of silence since last time from PSIRT, I've reminded them. No answer from them. This looks like IBM developers have decided to ignore these vulnerabilities. - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan public disclosure of these vulnerabilities on July. - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said that previous day they had meeting with developers, which were working on these issues, and they started to fix them. No concrete deadline, they just started (and I'll be informed about the date, the same as they told me at 31.05). OK, let's give them more time. This story with IBM reminds me Santa Barbara TV series :-) (looks like they love soap operas). So we'll be waiting for the fixes from IBM. > security@....com should be monitored. I also suggest secure@....com Ferenc and Jeffrey. Yes, there are different companies that use one of above-mentioned email aliases for security purposes. But IBM uses other e-mails - as admin of the site, as support employees, as IBM PSIRT (and support and PSIRT monitor their mailboxes). I've informed them by e-mail first (I had IBM webmaster/hostmaster e-mail), but they ignored (later, when I've received other e-mails of IBM employees, I've also used them). They like to not monitor this e-mail - it was predictable, because the same was in case, when I've many times informed IBM in 2008 about multiple vulnerabilities at their sites. I like to send information exactly by e-mail (even if later I'll need to repeat it by contact form), because I save all sent security related e-mails in Sent Items folder for statistical purposes. And it's IBM's duty to receive all e-mails, especially when it's about security issues at their sites or software. And all serious people and companies for sure receive my e-mails and those who is not lamer also fixes the holes - I have large experience of informing admins of web sites and web developers for last 7,5 years. And when I've contacted via contact form, IBM employees answered, so at the least they monitor contact form. But they have answered formally and ignored, and in results I was needed to contact PSIRT, as you can see from the summary. > Submitting to something like ZDI or Secunia may help in these cases. Thomas, I've already been told (by Chintan Dave) about using Secunia or other sites for releasing vulnerabilities and exploits. But I'm not planning to release it before time (i.e. with immediate full disclosure), as I've said above, I wanted to give IBM a chance to fix these holes (and of course I gave enough time for my client - large Ukrainian bank - to try to handle these issues with IBM). Concerning ZDI, then from what I know about them, they don't work with such holes. They work only with serious holes, not those which are not serious enough, like these multiple Cross-Site Scripting, Information Leakage, Brute Force, Insufficient Authentication, Cross-Site Request Forgery, Redirector and HTTP Response Splitting vulnerabilities in IBM software. For this reason I haven't contacted them. When I've found some holes in IBM Lotus Domino in begging of 2008 (during pentest of web sites of my German client), I hadn't informed IBM directly about them. If my client wanted, they could do it by themselves (and some of those holes were fixed at time of 2012). And I had no headache with it. When this year I have found much more holes in different IBM software and informed IBM, I have received a lot of headache and time wasting. The moral - besides holes, IBM also produces headache ;-). > IBM has a Security Incident Response team to handle (or ignore) issues Garth, I've used your recommendation and contacted PSIRT (as there was no effect from "contact form" employees). As you can see fro the summary. Besides, from main contact form there is no mentioning of separate contact (email or contact form) of IBM PSIRT or any mentioning of it at all. Only "IT security" department in Message category field, which must mean exactly their Security Incident Response Team. The results of contacting PSIRT is not far from "contact form" employees (but if those wasted half of month, then PSIRT already wasted more the 1,5 months with no results) - first it looked optimistically, then pessimistically and in last moment optimistically again. We'll see how it'll end up and will be any positive effect from IBM PSIRT, because "call me maybe" employees (which handle contact form) are useless - in case of security issues (at the least). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists