IBM Engineering Lifecycle Management - Security vulnerabilities identified by third party scanning tools

We will accept Support Cases for investigating critical and high severity vulnerabilities identified by third party scanning tools.

Before opening a support case, it is expected that the customer will:

• Review and triage their third party scanning tool vulnerability reports to identify those items that are true positives and truly critical/high severity.
• Check that the vulnerability is not already addressed in a newer version of the ELM product.
• Describe the steps necessary to re-produce each vulnerability. These are the steps that cause the vulnerability to manifest in ELM, not the steps to run the scan.
• Identify a CVE number or link to published details related to each vulnerability
  • Info on CVE numbers
  • CVE site for identifying existing vulnerabilities

The CVE number or link lets us check the specific issue against solutions already in place. It also helps when we need to engage product development for assistance in creating a solution specific to that issue (CVE number). Without a CVE number it is difficult for support to provide a specific solution to a vulnerability. 

Open a single support case for each critical or high severity vulnerability and provide the information listed above. This will provide clarity for you and the Support organization when identifying a resolution to the issue.