IBM DataPower Operations Dashboard Documentation

MustGather: Security Vulnerability Issues

Owned by Amit Munwes
Dec 22, 2021
2 min read

This document describes the MustGather process for opening a security vulnerability case with IBM Support.

Before You Report a Security Vulnerability Issue

Before you report a security vulnerability issue with IBM Support, please take the following steps:

  1. Test the vulnerability on the latest version fix pack of the product. It is important to make sure any security scan is performed on the latest release to avoid reporting current fixed issues.

  2. How was the security scan performed? Is it a raw scan from a third-party tool? According to IBM PSIRT policy, we cannot accept raw security reports or a list of CVEs. Raw scan reports can contain many false positives. If necessary, you might be asked to provide a proof of concept to show that any specific reported issue, in fact, is valid.

  3. The potential vulnerabilities (Non-Appliance installation only): Are they directly related to various dependencies such as Linux, httpd, and other open source components? If yes, please verify from the component's latest fix release notes whether it is already addressed.

  4. Several third-party dependency updates are routinely incorporated in DPOD fix packs and interim fixes. DPOD release notes might not contain the individual CVEs for each such fix. We will not be able to confirm if a particular third-party CVE is in a particular fix pack or an interim fix. Please ensure you tested on the latest fix pack as mentioned in step 1.

  5. IBM cannot discuss or confirm security vulnerabilities before a fix is publicly available.

Once the criteria are checked and verified, you can open a separate IBM Support Case for each issue. It is important to address each issue on a separate case to handle timelier and efficiently.

What Information to Provide in the Support Case

  1. Describe exactly how the issue was discovered and explain why the issue is not an expected behavior.

  2. Step-by-step instructions to re-create the issue, including all details such as request, response, payload, all headers, etc.

  3. What type of tools were used to identity this issue?

  4. Is there a public report available regarding this vulnerability? If yes, share the details and relevant links.

  5. Have you discovered any workaround for this issue? If yes, share the details.



Copyright © 2015 MonTier Software (2015) Ltd.