Re: About IBM: results

["MustLive" <mustlive () websecurity com ua>]

Hi Jeffrey!

Earlier Christian Heinrich told me to send information to FIRST Members.
Among which there is US CERT.

So, I can do it. I will send all data to US CERT in case if IBM still
ignore to fix it (unlike their official statements). Because if IBM will
fix and make their own disclosures and announcements, then all their clients
should be informed by IBM. Or I can send to US CERT alongside with IBM's 
announcements.

Best wishes & regards,
Eugene Dokukin aka MustLive
http://websecurity.com.ua

----- Original Message ----- 
From: "Jeffrey Walton" <noloader () gmail com>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Friday, July 20, 2012 8:11 PM
Subject: Re: About IBM: results


> On Thu, Jul 19, 2012 at 9:31 AM, MustLive <mustlive () websecurity com ua>
> wrote:
> > Hello guys!
> >
> > In May I've wrote to the list about case of how IBM handle information
> > about
> > vulnerabilities in their software. Here is the summary of my two months
> > conversation with IBM PSIRT and other employees of this company. I was
> > planning to end up this story on pessimistic note, but previous night,
> > when
> > I was planning to write this letter to the list, I've received answer
> > from
> > IBM, so the summary was updated ;-). And in result we have additional
> > delay
> > in this process - IBM just can get enough. But I hope that this story
> > will
> > end up optimistically.
> >
> > ...
> >
> > - During 16.05-20.05 I've wrote five advisories via contact form at IBM
> > site. No reaction from "IT security".
> > - At 20.05 I've contacted "Software support". Received formal answer.
> > - At 20.05 informed support, that this is security issues (not something
> > small, which they can just ignore) and they need to sent it to security
> > department. Again received formal answer - this time with "call me maybe"
> > paragraph :-). In result IBM employees just ignored.
> > - At 30.05, after recommendation from the list to contact directly, I've
> > contacted IBM PSIRT directly. They said they didn't received anything,
> > not
> > from me via contact form, nor from support. The same as they didn't do
> > anything (no security audit of their software) to make this multiple
> > vulnerabilities in multiple IBM software to go to the wild.
> > - At 31.05 I've resend five advisories, which they received and said they
> > would send them to the developers (of Lotus products).
> > - At 06.06, after silence from PSIRT, I've reminded them. They said there
> > is
> > still no info from developers, so wait please (until they will format
> > their
> > brains to work faster).
> > - At 10.07, after more then month of silence since last time from PSIRT,
> > I've reminded them. No answer from them. This looks like IBM developers
> > have
> > decided to ignore these vulnerabilities.
> > - At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
> > public disclosure of these vulnerabilities on July.
> > - At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and
> > said
> > that previous day they had meeting with developers, which were working on
> > these issues, and they started to fix them. No concrete deadline, they
> > just
> > started (and I'll be informed about the date, the same as they told me at
> > 31.05). OK, let's give them more time.
> You could also send it to US Cert. I would bet many IBM customers
> subscribe to their mailings (even if the same customers don't
> subscribe to Full Disclosure).
>
> I passed on stuff for Apple to US Cert since Apple did not address
> concerns for over a year. Many Apple customers, including those in
> Federal, will receive the US Cert


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/