IBM Product Security Incident Response Process

IBM Product Security Incident Response Process

The IBM Product Security Incident Response Team (PSIRT) manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. The IBM PSIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential product security vulnerabilities. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of IBM offerings should continue to report all product related issues, including potential security vulnerabilities, to IBM Technical Support. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.

When the IBM PSIRT receives a report of a potential vulnerability from a third party, it performs an initial assessment to determine whether the report concerns a known issue. If it is a known issue, the PSIRT will provide the vulnerability reporter with a tracking number and intends to provide an update about the targeted timeframe for a remediation as well. If it is not a known issue, the PSIRT will gather any additional details required for further investigation. The PSIRT logs the issue with the supporting details and notifies the appropriate IBM product teams of the potential vulnerability for analysis.

The appropriate product team attempts to reproduce the issue to verify whether it is a vulnerability. If confirmed as a security vulnerability, the product team engages with the IBM PSIRT to discuss remediation options.

After the initial analysis, the vulnerability undergoes further investigation by the product team(s) to determine the underlying cause and possible methods of exploitation. The team completes the remediation plan for the vulnerability, taking into consideration the affected versions.

During each stage of investigation, the IBM PSIRT intends to maintain communication with the vulnerability reporter and provide updates. In some cases, the PSIRT may request additional information from the vulnerability reporter to understand the environment in which the vulnerability appears, ways to reproduce the issue, potential exploitation methods, etc.

After development of the remediation plan, the IBM PSIRT intends to inform the vulnerability reporter of the targeted timeframe for resolution and coordinate communication efforts, as appropriate. IBM advocates communication and collaboration within the security community when handling vulnerability reports and disclosure to help minimize the potential risk and disruption to customers.

Once the remediation is available, IBM intends to notify the affected customers about the vulnerability using either targeted communications or issue a public Security Bulletin. When IBM discloses the vulnerability publicly, the Bulletin will include details such as the Common Vulnerability Scoring System (CVSS) (link resides outside of ibm.com) Base score and vector, a reference to the assigned Common Vulnerabilities and Exposures (CVE) (link resides outside of ibm.com) identifier, remediation for the affected offering(s) and other relevant links that may cover additional information.

The last stage in the IBM PSIRT process allows for post-release case maintenance during which the product team(s) may deliver updates to the remediation, if any. During this stage, the PSIRT also shares findings with our Engineering team(s) to help minimize similar vulnerabilities in future IBM offerings.