IBM Security Bulletins

IBM uses various methods to communicate security vulnerability information to customers. The company uses Security Bulletins when publicly disclosing security vulnerabilities discovered in IBM offerings and leverages alternative tools and processes, where appropriate (i.e., for System z, managed and cloud-based services), for more targeted and discrete communications with entitled customers. To help protect our customers, IBM does not publically disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. For information about Security Bulletins please monitor the IBM Support Portal, the IBM Product Security Incident Response Team Blog, and subscribe to My Notifications to receive important notifications about your products. When IBM publishes a Security Bulletin, the company intends to provide vulnerability information in it that is similar to the content specified in the Common Vulnerability Reporting Framework (CVRF). IBM does not intend to provide vulnerability details that could enable someone to craft an exploit.

IBM intends to use the Common Vulnerability Scoring System (CVSS) as a standard for communicating the impact of security vulnerabilities in IBM products and solutions. CVSS is an industry open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS 'score' is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments.