back to article What did it take for stubborn IBM to fix flaws in its Data Risk Manager security software? Someone dropping zero-days

IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed. In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software – only to …

  1. Anonymous Coward
    Anonymous Coward

    typical IBM, costs money and time to fix things, so don't do it, unless forced to.

    Also no surprise IBM doesn't even know how its own software works or is configured, those that knew were RA'd long ago.

  2. don't you hate it when you lose your account


    Incredibly bad management

    1. big_D Silver badge

      Re: IBM

      I always though it was Incredible Bloody Mindedness.

  3. Pascal Monett Silver badge

    "Why did IBM refuse to accept a free detailed vulnerability report?"

    Because the guy who received the report looked at his procedure lists and didn't have anything on that situation, so he classed it in the circular shelf.

  4. jonnycando

    Well Reg, they are notgoing to get back to you...if they anything it will be opaque and answer no questions given.

  5. Anonymous Coward
    Anonymous Coward


    When evaluating a product/service, a companies history of behavior/responses dictate a level of trust.

    So far I trust nobody :(

    1. Anonymous Coward

      Re: Trust

      Too true. I can't think of a major company that hasn't shown up in ElReg for ignoring vulnerabilities and patching them late, often only when they become public.And usually with a press release saying that they haven't seen any actual exploits (the operative word being "seen").

      1. yoganmahew

        Re: Trust

        Accompanied by "we take our customers security seriously" boilerplate.

  6. Will Godfrey Silver badge

    I really don't understand the attitude.

    I know it is all too common, but why?

    The software I work on doesn't have any security implications, beyond possibly freezing the desktop. However if I'm told about a bug in my code - especially if a proof of concept is included, it goes straight to the top of my TODO list (unless it's impossible to replicate). What is the point of doing anything else?

    1. Mark192

      Re: I really don't understand the attitude.

      Will Godfrey said: "if I'm told about a bug in my code - especially if a proof of concept is included, it goes straight to the top of my TODO list"

      But you're not a manager...

  7. Denarius

    takes me back

    to AIX 3.2.5. rlogin bug 30 years ago. Lovely being able to log into any box without authentication as root user. IBM ignored warnings until finder went public. You can tell the RAs did not hit the PHB levels. Almost as entertaining as HP Bug of the Week from late lamented Kernel Panic. Some of those were as gobsmacking. Now if only MS decided all objects arriving by mail were untrusted bt default, 40 years after Morris Worm we might be getting somewhere.

    Offtopic, why has concept of bastion host vanished ? Data theft is much harder if clear separation of private/internal machines is maintained, yet so many intrusions seem to work because a mere firewall, if that, is between the Interweb and the internal servers. Or am I just too old because I think internal stuff should not be accessible from outside without at least TPA and external devices being clean slated every month or less. Stuff the BYOD policy. Recipe for leakage.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like