According to the common practice in the industry, security companies and researchers are obliged to submit vulnerabilities to developers after they are discovered and give developers some time to fix the vulnerabilities.
Security companies and researchers can only disclose vulnerabilities to prevent threats to users after the vulnerabilities are fixed. This common practice is basically recognized by most developers.
Unfortunately, even companies like IBM have the same problem. A few days ago, researchers directly announced the details of the four vulnerabilities on IBM Data Risk Manager product on GitHub.
I am disclosing four 0day for IBM Data Risk Manager, an ENTERPRISE SECURITY APPLIANCE@IBMSecurity refused to accept @certcc's disclosure and told them to fleck off! 🤣
Advisory and exploits here, have fun: https://t.co/60a7XRZt4C
— Pedro Ribeiro (@pedrib1337) April 21, 2020
The IBM Data Risk Manager provided by IBM was found multiple vulnerabilities by researchers, and then the vulnerabilities were submitted to IBM officials.
IBM Data Risk Manager is used to summarize the summary of vulnerability scanning tools and other risk management tools, so that enterprise administrators can more easily investigate security issues.
However, while managing other security vulnerabilities, the tool itself has also been found to have vulnerabilities. Researchers claim that it can execute code remotely with a high-security risk.
These vulnerabilities have not been fixed after being submitted to the developer. The answer given by IBM is that the above vulnerabilities are no longer within the scope of their vulnerability disclosure procedures.
After being refused to repair, the researchers have directly announced the four zero-day vulnerabilities on the GitHub platform. The researchers hope to exert pressure on IBM in this way.
The four vulnerabilities involve bypassing the IDRM authentication mechanism, IDRMAPI injection, a3user/idrm hard-coded account password, and remote downloading files in API.
The harm of these zero-day vulnerabilities is relatively high, especially the problem of hard-coded account passwords, and there are higher risks for enterprises to use IBM IDRM.
Sure enough, IBM issued an apology statement after the researchers announced the vulnerability. IBM said that the bug handling process caused an error and caused an inappropriate response to the researchers.
The company said it developed a bug fix and issued a security bulletin to remind companies.