Read the Statement of z/VM System Integrity here
IBM strongly recommends that users of the z/VM Operating System validate the currency of security and system integrity service and take action to promptly install all security and integrity PTFs. As a best practice, IBM strongly recommends that clients obtain access to the System z Security Portal and subscribe to the Security Portal’s automatic notification process to get access to the latest service information on security and system integrity APARs for z/VM. Note that IBM treats vulnerability information in connection with System z as IBM Confidential and by accessing the Security Portal you agree to treat such information as confidential in accordance with the terms set forth here
If you are not currently authorized to access the Security Portal, instructions to do so are located here. IBM makes available important information about security and system integrity APARs and associated fixes in this Security Portal which can help you to plan the timely installation of security and integrity fixes. Once you are registered at the Security Portal, you may subscribe and receive an email notification of all new posts.
In the Security Portal, the security / integrity data for z/VM is provided in a single file, using a naming convention that includes a prefix of the date in the format “YYYY-MM-DD vvinteg.txt”. This file primarily contains the component ID, APAR and PTF numbers, and the Common Vulnerability Scoring System Version 2.0 (CVSS) data that can be used by security personnel to help evaluate the potential risk of a particular APAR. Base and Temporal scores are provided. Clients must complete any required Environmental score. An example file name might be “2011-05-03 vvinteg.txt”, which would be a file that contains APAR and CVSS data that was made available on May 3rd, 2011.
In addition to the Security Portal, IBM includes the pertinent Security / Integrity APAR fixes in the next Recommended Service Upgrade (RSU) after the fix is available (typically within 60 days.) Note however, that to obtain or use the Common Vulnerability Scoring System (CVSS) data and to obtain the most up to date notification clients must be authorized to use the System z Security Portal
The process for the dissemination of Security / Integrity data on System z has evolved over a very long time. The current process has been formed by carefully listening to many clients’ needs and industry requirements. Based on feedback from our varied client set, IBM has a policy of treating security vulnerability information as confidential. IBM believes it important that a client feel secure coming to IBM with a problem report that may affect the security of their enterprise. IBM will hold the detailed vulnerability information in confidence throughout the lifecycle of the potential problem to help reduce the likelihood that detailed knowledge of the vulnerability will be made public. The System z Security Portal provides clients with the ability to determine what IBM service needs to be applied to their systems to help mitigate identified security risks and the means to authenticate and retrieve the latest security / integrity data to help them stay current with maintenance.
There are many sources used by IBM to help investigate potential security vulnerability issues impacting System z. These sources include a team of individuals that comprise the System z System Integrity Competency Center utilizing inspection techniques, as well as various testing and scanning tools, ethical hackers from our Watson Research Lab, and some external sources. IBM has also developed relationships with organizations such as CERT, CVE, BugTraq, MIT, etc., which can provide notification of potential vulnerabilities, before they are made public in many cases, so we can develop and make fixes available to help mitigate potential risk to System z. In addition, on rare occasions clients may find and report system integrity or security concerns directly to IBM, and can do so with the knowledge that IBM will treat the information as confidential. IBM will investigate each report and when appropriate create APARs and make fixes available.
It is strongly recommended that clients validate the currency of their z/VM security and system integrity service levels and subscribe to the System z Security Portal to receive the latest information on System z security and system integrity service. The timely installation of security and system integrity service can help minimize potential risks and maintain overall system security and availability.