typical IBM, costs money and time to fix things, so don't do it, unless forced to.
Also no surprise IBM doesn't even know how its own software works or is configured, those that knew were RA'd long ago.
IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed. In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software – only to …
I know it is all too common, but why?
The software I work on doesn't have any security implications, beyond possibly freezing the desktop. However if I'm told about a bug in my code - especially if a proof of concept is included, it goes straight to the top of my TODO list (unless it's impossible to replicate). What is the point of doing anything else?
to AIX 3.2.5. rlogin bug 30 years ago. Lovely being able to log into any box without authentication as root user. IBM ignored warnings until finder went public. You can tell the RAs did not hit the PHB levels. Almost as entertaining as HP Bug of the Week from late lamented Kernel Panic. Some of those were as gobsmacking. Now if only MS decided all objects arriving by mail were untrusted bt default, 40 years after Morris Worm we might be getting somewhere.
Offtopic, why has concept of bastion host vanished ? Data theft is much harder if clear separation of private/internal machines is maintained, yet so many intrusions seem to work because a mere firewall, if that, is between the Interweb and the internal servers. Or am I just too old because I think internal stuff should not be accessible from outside without at least TPA and external devices being clean slated every month or less. Stuff the BYOD policy. Recipe for leakage.