Security vulnerabilities identified by third party scanning tools

Background 

• As part of its Secure Engineering practices, IBM performs security vulnerability code scanning on all new major software product releases.
• For IBM's Cloud Pak and Red Hat certification processes, Docker images are scanned.
• Following our Continuous Delivery policy (https://www-01.ibm.com/support/docview.wss?uid=ibm10738757), we refresh our products on a regular basis.  
• We regularly pick up the latest levels of all third-party products used, thereby ensuring that we have the latest vulnerability scanned version of third-party products/components.    

Support 

• We will accept Support Cases (PMRs) for investigating high severity vulnerabilities identified by third party scanning tools.
• However, before opening a support case, it is expected that the customer will have:
  • reviewed and triaged their third party scanning tool vulnerability reports to identify those items that are true positives and truly high severity. (This is documented in the IBM Support Handbook: http://lure.austin.ibm.com/webapp/set2/sas/f/handbook/getsupport.htm)
  • checked that the vulnerability is not already addressed in a newer version of the FileNet Content Manager product
• In addition to providing the third party scanning report that details the vulnerability(s), in some cases, it may be necessary for customers to provide a script or equivalent that exploits the vulnerability so that we can properly investigate it.