According to an article on net-security.org a Moscow-based company will publish several security flaws among different products from IBM and other vendors during this month.

Informix is also named in the article:

• Software testing firm says no to responsible disclosure

Excerpt:

According to Brian Krebs, among the disclosed vulnerabilities there 
will be those that affect Web servers such as Zeus and Sun; Mysql, 
IBM DB2, Lotus Domino and Informix databases; and Novell eDirectory, 
Sun Directory and Tivoli Directory servers.

"After working with the vendors long enough, we've come to conclusion 
that, to put it simply, it is a waste of time. Now, we do not contact 
with vendors and do not support so-called 'responsible disclosure' 
policy," Legerov said.

At least for Informix I could say that IBM is very very keen and responsive regarding security flaws. Jonathan Leffler, the IDS Security Architect, gave several presentations on security on conferences and in the scope of the Informix Chat With the Lab series.

Security Expert David Litchfield praised IBM in the past for being very responsive regarding Informix related security flaws.

So the question that needs to be asked is:

Who inside IBM did the Russian company contact and why didn't they get a timely and competent response ?

The funny thing is that the big O database, that is well known for it's security flaws, is not named by the Russian company.

Maybe the Russian company did demand some money from IBM for their work or they simply contacted the wrong person inside IBM (which could happen easily when it comes to Informix).

Let's see what the security flaws are when the get published and in which Informix Versions they have been detected. I'm confident that the IBM Informix team will immediately respond to the flaws at least as long has they have been discovered in IDS Versions that are under maintenance.

Author: Eric Herber

Find more about it here.

Find out more about The Informix Zone.