Security News > 2020 > April > IBM Tells Researcher It Will Not Patch Serious Data Risk Manager Flaws
A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges.
Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that "Provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business."
The security holes were reported to IBM through CERT/CC, but the vendor said it had assessed the report and closed it for being out of scope for its vulnerability disclosure program "Since this product is only for 'enhanced' support paid for by our customers."
IBM has a bug bounty program, but currently it's not offering any monetary rewards for vulnerabilities found in its products.
The researcher says he has conducted his tests on a Data Risk Manager Linux virtual appliance version 2.0.3.