IBM Security Vulnerability Management (PSIRT)
IBM Product Security Incident Response Team (PSIRT) Overview
The IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. IBM PSIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential IBM product security vulnerabilities. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of IBM offerings should continue to report all product related issues, including potential security vulnerabilities, to IBM Technical Support. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.
IBM Product Security Incident Response Team Process
When IBM PSIRT receives a report of a potential vulnerability from a third party, IBM PSIRT logs the issue with the supporting details and provides the tracking number to the vulnerability reporter. IBM PSIRT notifies the appropriate IBM product teams of the potential vulnerability for analysis.
The appropriate product team attempts to reproduce the issue to verify whether it is a vulnerability.
After the initial analysis, the vulnerability undergoes further investigation by the product team to determine the underlying cause and possible methods of exploitation. The team completes the remediation plan for the vulnerability, taking into consideration the affected versions.
In some cases, IBM PSIRT may request additional information from the vulnerability reporter to understand the environment in which the vulnerability appears, ways to reproduce the issue, potential exploitation methods, etc.
Once the remediation is available, IBM intends to notify the affected customers about the vulnerability using either targeted communications or issue a public Security Bulletin. When IBM discloses the vulnerability publicly, the Bulletin will include details such as the Common Vulnerability Scoring System (CVSS) Base score and vector, a reference to the assigned Common Vulnerabilities and Exposures (CVE) identifier, remediation for the affected offering(s) and other relevant links that may cover additional information.
The last stage in IBM PSIRT process allows for IBM PSIRT to share findings with our Engineering team(s) to help minimize similar vulnerabilities in future IBM offerings.