Media attention has drawn public focus to security vulnerabilities in both software and hardware products. An application such as IBM Spectrum Control (Spectrum Control) or any of its included components might have security vulnerabilities. If this happens, it is important to understand the process IBM uses to communicate information to the customer.

This appendix provides an overview of the IBM Product Security Response Team and how their processes relate to managing any possible security vulnerabilities in Spectrum Control and its related components. The following resources are described in this appendix:

The PSIRT manages the receipt, investigation, and internal coordination of security vulnerability information that is related to IBM offerings. This team coordinates with IBM product and solutions teams to investigate and identify the appropriate response plan. Their processes allow for communication of confirmed vulnerabilities with customers.

IBM does not publicly disclose or confirm security vulnerabilities until IBM conducts an analysis of the product and issues fixes or mitigations. Additionally, IBM does not intend to provide vulnerability details that can enable someone to craft an exploit. Communication occurs primarily through the security bulletins that are published on the IBM Support portal, but targeted and discrete communication might also occur. After they are published, the security bulletins for a product provide information to allow the user to identify the following items:

Before publishing a security bulletin for a product, information about whether a product is affected by it is not available. In some situations, with much public attention, a security bulletin might be published indicating that a product is not affected by a particular vulnerability, but in most cases that is not done.

The security bulletins are published on the http://www.ibm.com website. You can choose to be notified when new security bulletins are published, or you can go to http://www.ibm.com and review content from the perspective of security for all products or the perspective of all support content for a product. However you prefer to find the needed security bulletins, becoming familiar with the following websites helps.

The IBM Product Security Response Team blog is a good place to start. It consolidates the security bulletins from all IBM products into a common location and provides links to other related security resources. To check out the blog, open a web browser and go to the following website:

Additionally, each product's support portal provides a section that is called Flashes, alerts and bulletins where you can browse the security bulletins for that product. For Spectrum Control, the support portal can be found at the following website:

For other IBM products, open the IBM Support portal and select your product at the following website:

The flashes, alerts, and bulletins that are listed on the support portal can be filtered by version or operating system to help you locate the appropriate content.

You can also choose to be notified immediately of security bulletins and flashes by subscribing to My Notifications for selected products. Sign up for notifications by going to the following website:

If Spectrum Control is affected by a security vulnerability or a set of vulnerabilities, a security bulletin is published after fixes or a workaround to mitigate the issue are available. The security bulletin covers all of the actions that must be taken to resolve the vulnerabilities. These actions cover Spectrum Control and any affected internal components. The Spectrum Control bulletins might mention but will not go into detail for other products that integrate with it. Depending on the product version, the vulnerability, and the components of Spectrum Control that you are using, a separate set of actions to follow after applying a fix might be required.

Because each vulnerability is unique, review the security bulletin thoroughly to identify whether you are affected and what actions to take.

Security bulletins for Spectrum Control cover vulnerabilities for it plus any internal components, but what about other software products that are bundled with Spectrum Control or integrated with it? Here are a few examples of products you might be using and must maintain:

The answer is the same for all of them and is similar to what you do for Spectrum Control: For those products, you should reference the IBM Product Response Team blog or the individual product support portals for any published security bulletins. Each product team is responsible for publishing their own security bulletins. Review any published security bulletins to identify affected versions and follow the remediation or fix information. If these products are affected, they might provide a maintenance fix. It is acceptable to apply a fix pack to these products to resolve security vulnerabilities or other problems. Upgrading to a new version or release is not typically supported by Spectrum Control and might result in compatibility issues. Even with fix pack updates, read the security bulletins carefully for any compatibility concerns. For example, if a common protocol is disabled, both products must accommodate a new protocol.

Some security vulnerabilities are found at the operating system level. To confirm and resolve any security vulnerabilities for them, see the operating system vendor websites and their security information.

Customers and other entitled users of Spectrum Control, or any of the bundled products, should contact IBM technical support to report security issues. If the IBM technical support team determines that a reported issue is a security vulnerability, it informs IBM PSIRT and that sets the collaboration process in motion.

Other individuals or groups can report security vulnerabilities by using information that is available at the following website: