Question & Answer
Question
When finding security vulnerabilities via 3rd party scanning tools, how should one engage IBM Support?
Answer
Preface: While genuine issues arising out of 3rd party scanning reports can be looked into on a case by case basis, IBM cannot be involved for blanket analysis of 3rd party scanning tool reports [See: https://www.ibm.com/support/pages/questions-handled-ibm-support]
"Interpretation or triage of customer or third party generated defect scanning reports"
"Interpretation or triage of customer or third party generated defect scanning reports"
As part of its Secure Engineering practices, IBM performs security vulnerability code scanning on all new major software product releases.
We do regular testing for the latest security vulnerabilities that may pose a threat to components of the Sterling product.
We do regular testing for the latest security vulnerabilities that may pose a threat to components of the Sterling product.
We will accept Support Cases for investigating high severity vulnerabilities identified by third party scanning tools. However, before opening a support case, it is expected that the customer will have:
- Reviewed and triaged their third party scanning tool vulnerability reports to identify those items that are true positives and truly high severity.
- Checked that the vulnerability is not already addressed in a newer version of the Sterling product.
IBM CVE checkup tool can be used to check on impact of CVEs to Sterling Products- https://www.ibm.com/support/pages/bulletin/search/
In addition to providing the third party scanning report that details the vulnerability(s), it is important that a CVE number or link to published details related to each vulnerability be included. This lets us check off the specific issue against solutions already in place. It also helps when we need to engage product development for assistance in creating a solution specific to that issue (CVE number).
NOTE: Without a CVE number - it is very difficult for support to provide a specific solution to a vulnerability.
NOTE: Without a CVE number - it is very difficult for support to provide a specific solution to a vulnerability.
There is a limit to the number of vulnerabilities that can be addressed in a single support case. IBM Support has a one issue per case policy and this must be adhered to in order to avoid confusion for investigations that take longer than a few days. Generally if a vulnerability assessment scan report returns more than one result, a maximum of three scan results in one case is acceptable.
[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS6PEW","label":"IBM Sterling Order Management"},"ARM Category":[{"code":"a8m0z000000cy0AAAQ","label":"Install and Deploy"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
05 June 2024
UID
ibm17156483