lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8muji8vYnnLYuGR_ULUzgDt8FvHsMwVFfqZwuQ=0nxVJg@mail.gmail.com>
Date: Fri, 20 Jul 2012 13:11:36 -0400
From: Jeffrey Walton <noloader@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: About IBM: results

On Thu, Jul 19, 2012 at 9:31 AM, MustLive <mustlive@...security.com.ua> wrote:
> Hello guys!
>
> In May I've wrote to the list about case of how IBM handle information about
> vulnerabilities in their software. Here is the summary of my two months
> conversation with IBM PSIRT and other employees of this company. I was
> planning to end up this story on pessimistic note, but previous night, when
> I was planning to write this letter to the list, I've received answer from
> IBM, so the summary was updated ;-). And in result we have additional delay
> in this process - IBM just can get enough. But I hope that this story will
> end up optimistically.
>
> ...
>
> - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> site. No reaction from "IT security".
> - At 20.05 I've contacted "Software support". Received formal answer.
> - At 20.05 informed support, that this is security issues (not something
> small, which they can just ignore) and they need to sent it to security
> department. Again received formal answer - this time with "call me maybe"
> paragraph :-). In result IBM employees just ignored.
> - At 30.05, after recommendation from the list to contact directly, I've
> contacted IBM PSIRT directly. They said they didn't received anything, not
> from me via contact form, nor from support. The same as they didn't do
> anything (no security audit of their software) to make this multiple
> vulnerabilities in multiple IBM software to go to the wild.
> - At 31.05 I've resend five advisories, which they received and said they
> would send them to the developers (of Lotus products).
> - At 06.06, after silence from PSIRT, I've reminded them. They said there is
> still no info from developers, so wait please (until they will format their
> brains to work faster).
> - At 10.07, after more then month of silence since last time from PSIRT,
> I've reminded them. No answer from them. This looks like IBM developers have
> decided to ignore these vulnerabilities.
> - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> public disclosure of these vulnerabilities on July.
> - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
> that previous day they had meeting with developers, which were working on
> these issues, and they started to fix them. No concrete deadline, they just
> started (and I'll be informed about the date, the same as they told me at
> 31.05). OK, let's give them more time.
You could also send it to US Cert. I would bet many IBM customers
subscribe to their mailings (even if the same customers don't
subscribe to Full Disclosure).

I passed on stuff for Apple to US Cert since Apple did not address
concerns for over a year. Many Apple customers, including those in
Federal, will receive the US Cert

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ