Full Disclosure mailing list archives
About IBM
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 27 May 2012 23:51:09 +0300
Hello guys! I have a question for you about IBM. Does anybody has successfully contacted them, when they officially answered and fixed vulnerabilities in their software, since Leandro Meiners (since 2005)? When I've informed them many times in 2006-2008 concerning multiple vulnerabilities at multiple web sites of IBM and IBM ISS, they just ignored and not fixed or some of them first ignored and later hiddenly fixed. But it were their sites and I was hoping that concerning their software products they have different behavior. But when last week, during 16.05-20.05, I've sent five advisories to IBM concerning multiple vulnerabilities, which I have found (in May during pentest) in IBM Lotus Notes and Domino and IBM Lotus Notes Traveler, they just ignored. So they've demonstrated the same behavior, as concerning their web sites. And there are a lot of Cross-Site Scripting, Information Leakage, Brute Force, Insufficient Authentication, Cross-Site Request Forgery, Redirector and HTTP Response Splitting vulnerabilities in their software, which I've informed them about. Which can be used for full compromise of the server and the network of those, who use IBM's software (as it was done during my pentest). After the fourth e-mail to IBM security department, when there were still no answers from them, I've resent the fourth letter to their support (hoping that they would be more serious). The support answered on the next day very funny, not the same lame as Cisco answered me in 2008 concerning vulnerabilities at their sites (which I considered as most lamest vendor response, much more then those nominees on Pwnie Awards), but still not serious enough. The letter was "standard one", that they are in receipt of my e-mail reporting and apologize for any inconvenience I may have experienced. When I've drew support's attention, that I've wrote already five letters to their security department (and just one sent to support) about multiple vulnerabilities in their software products and haven't received any answers from them, and I had "no issues with working with their software" (as he tried to state in his letter), then I've received another letter from other IBM employee, which wrote the same "standard phrases" and added that for informing about issues with software I can call them by phone :-). And already week after that there is still no answers from them (as it was predictable since 16.05). This is how IBM caring about security of their software, particularly Lotus Notes and Domino and Lotus Notes Traveler. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- About IBM MustLive (May 27)
- Re: About IBM Ferenc Kovacs (May 27)
- Re: About IBM Jeffrey Walton (May 27)
- Re: About IBM Thomas Richards (May 28)
- Re: About IBM Bzzz (May 28)
- <Possible follow-ups>
- Re: About IBM Jonathan Leffler (May 28)
- Re: About IBM Alex Sugarmann (May 29)