Security News > 2020 > June > What did it take for stubborn IBM to fix flaws in its Data Risk Manager security software? Someone dropping zero-days

IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed.

In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software - only to issue fixes after details of the holes emerged online.

About a week later, on May 7, the IT titan issued versions 2.0.4.1 and 2.0.6.2 of Data Risk Manager said to address the reported flaws.

Ribeiro said he wasn't interested in a bounty - not that Big Blue pays out actual cash for reported flaws - rather, he just wanted IBM to take his findings seriously and address the programming blunders in its product.

"I did not ask or expect a bounty since I do not have a HackerOne account and I don't agree with HackerOne's or IBM's disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it."

News URL

https://go.theregister.com/feed/www.theregister.com/2020/06/23/ibm_data_risk_manager/