lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADYtyvLxU5aLhJAL0e7aVL9Q2VOnNgfkaxWd-32MSKxvW76VYA@mail.gmail.com>
Date: Thu, 19 Jul 2012 10:13:48 -0400
From: Григорий Братислава <musntlive@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: About IBM: results

On Thu, Jul 19, 2012 at 9:31 AM, MustLive <mustlive@...security.com.ua> wrote:

> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there is
> still no info from developers, so wait please (until they will format their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.

Maybe IBM is see who you are and is just chuckle because none of your
advisories is ever worth anything?

Perhaps is maybe yes, IBM is read through BS, nonsense, BSnonsense, NonsenseBS?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ