Troubleshooting
Problem
This document describes the MustGather process for opening a security vulnerability case with IBM Support.
Once the criteria are checked and verified, you can open a separate IBM Support Case for each issue. It is important to address each issue on a separate case to handle timelier and efficiently.
What information to provide in the support case:
How to report a security vulnerability with IBM Support:
Before you report a security vulnerability issue with IBM Support, please take the following steps:
1. Test the vulnerability on the latest version fix pack of the product. It is important to make sure any security scan is performed on the latest release to avoid reporting current fixed issues.
See latest product version here:
DataPower https://www.ibm.com/support/pages/supported-firmware-versions-and-recommended-levels-ibm-datapower-gateways-products
API Connect https://www.ibm.com/support/pages/node/565445
2. Have you subscribed to the IBM Security bulletin to get all the latest updates? These updates might help you to clarify what needs to be reported and what does not. More details on the bulletin can be found here: https://www.ibm.com/security/secure-engineering/bulletins.html
3. How was the security scan performed? Is it a raw scan from a third-party tool? According to IBM PSIRT policy, we cannot accept a raw security reports or a list of CVEs. Raw scan reports can contain many false positives. If necessary, you might be asked to provide a proof of concept to show that any specific reported issue, in fact, is valid.
4. The potential vulnerabilities (non-OVA deployment only): Are they directly related to various dependencies such as Docker, Linux, Node, Drupal, and other open source components? If yes, please verify from the component's latest fix release notes whether it is already addressed.
5. Several third-party dependency updates are routinely incorporated in API Connect fix packs and interim fixes. API Connect security bulletins might not contain the individual CVEs for each such fix. We will not be able to confirm if a particular third-party CVE is in a particular fix pack or an interim fix. Please ensure you tested on the latest fix pack as mentioned in step 1.
6. IBM cannot discuss or confirm security vulnerabilities before a fix is publicly available and a security bulletin is published.
DataPower https://www.ibm.com/support/pages/supported-firmware-versions-and-recommended-levels-ibm-datapower-gateways-products
API Connect https://www.ibm.com/support/pages/node/565445
2. Have you subscribed to the IBM Security bulletin to get all the latest updates? These updates might help you to clarify what needs to be reported and what does not. More details on the bulletin can be found here: https://www.ibm.com/security/secure-engineering/bulletins.html
3. How was the security scan performed? Is it a raw scan from a third-party tool? According to IBM PSIRT policy, we cannot accept a raw security reports or a list of CVEs. Raw scan reports can contain many false positives. If necessary, you might be asked to provide a proof of concept to show that any specific reported issue, in fact, is valid.
4. The potential vulnerabilities (non-OVA deployment only): Are they directly related to various dependencies such as Docker, Linux, Node, Drupal, and other open source components? If yes, please verify from the component's latest fix release notes whether it is already addressed.
5. Several third-party dependency updates are routinely incorporated in API Connect fix packs and interim fixes. API Connect security bulletins might not contain the individual CVEs for each such fix. We will not be able to confirm if a particular third-party CVE is in a particular fix pack or an interim fix. Please ensure you tested on the latest fix pack as mentioned in step 1.
6. IBM cannot discuss or confirm security vulnerabilities before a fix is publicly available and a security bulletin is published.
Once the criteria are checked and verified, you can open a separate IBM Support Case for each issue. It is important to address each issue on a separate case to handle timelier and efficiently.
What information to provide in the support case:
- Describe exactly how the issue was discovered and explain why the issue is not an expected behavior.
- Step-by-step instructions to re-create the issue. The details must include request, response, payload, and all headers.
- What type of tool was used to identity this issue?
- Is there a public report available regarding this vulnerability? If yes, share the details and relevant links?
- Have you discovered any workaround for this issue? If yes, share some details.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8m50000000Ce97AAC","label":"API Connect->Security (SE)->Vulnerability"},{"code":"a8m50000000CdocAAC","label":"DataPower->Security (SE)->Vulnerability"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
20 July 2020
UID
ibm16243876