Topics

General Questions

Q: What is X-Force?

A: The IBM Internet Security Systems X-Force research and development team is a leading group of security experts dedicated to proactive counter intelligence and public education against online threats. X-Force researches security issues, tracks the evolution of threats through ISS' Global Threat Operations Center, and ensures that ISS is the first to bring new threat management solutions to market.


Q: What's the difference between a Protection Alert and an Advisory?

A: Basically, it's the difference between whether the security issue was discovered by X-Force, or whether X-Force is providing additional information on an existing security issue discovered by someone else. Both provide production protection information for the profiled threat. X-Force Protection Alerts are released when X-Force discovers significant additional information about an existing security issue. X-Force Protection Advisories contain information from original, internal X-Force research. Each advisory includes a detailed description of the security vulnerability, its impact, affected versions, and recommendations for managing and/or correcting the issue.


Q: May I link to your publications?

A: Yes, as long as you follow the Terms of Use at http://www.ibm.com/legal/us/en/.


Q: May I reprint or copy your publications?

A: There are certain conditions within the Terms of Use (http://www.ibm.com/legal/us/en/) that list when you can reprint X-Force materials. The terms also describe how you can seek permission to reprint.


Q: Will X-Force pay for security vulnerability disclosures?

A: No. IBM X-Force does not pay for disclosure of security vulnerability information.


Q: How do I apply for a job with X-Force?

A: X-Force career opportunities are listed on the IBM career page. You should use this system to search and apply for job postings. If you send your resumes or inquiry to other locations or email addresses, then you may not get a response.

X-Force Database general questions

Q: What is the X-Force Database?

A: The X-Force Database is one of the world's most comprehensive threats and vulnerabilities database. This database is the result of thousands of hours of work by X-Force researchers and developers, and much of the data is incorporated into IBM ISS' own products. The database contains over 40,000 unique vulnerabilities, threats, and security checks, compiled from the Internet, original X-Force research, IBM ISS software, and other software.


Q: What is a security issue?

A: A security issue is defined as any computer-related vulnerability, exposure, or configuration setting that may result in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system.


Q: Are there any security issues you don't include in the X-Force Database?

A: Yes. While the X-Force database may include a few records falling into the types of issues below, we don't exhaustively research them: Physical security; Legacy or obsolete software, networks, and hardware; Hardware and software that cannot connect with the Internet; Software and hardware that is managed centrally, and does not install software elsewhere (for example, Microsoft Hotmail); Security issues occurring at a specific time (for example, Internet threats occurring this Thursday).


Q: How do I search for a specific security issue?

A: You can use the X-Force search engine at http://xforce.iss.net/xforce/search.php, or you can use your favorite search engine. Your choice of keywords makes a big difference in the success of finding the information you want. For example, searching on Microsoft will result in hundreds of results, but searching on MS07 may narrow your search to Microsoft security bulletins for 2007.


Q: I can't find records related to a platform that I think has security issues. Why?

A: In some cases, X-Force researchers encounter an entire class of related and affected platforms, such as all Windows or all Linux systems. Instead of listing every platform, the researcher lists only the overall platform. If you're not finding vulnerabilities about the platform you need, then it's likely that your search is too specific. Try making your search more general. For example, instead of searching for AS/400, search on AIX instead.


Q: Do you verify the existence of every security issue in your database?

A: No. While X-Force verifies all security issues with related protection incorporated into our products, the research team determines the validity of a security issued based on the credibility of the source reporting the issue. Once an issue is published, X-Force will only remove an issue from the database if the source reporting the non-existence of the security issue is credible. If you are a vendor or creator of an affected product and would like to clarify, request to revise, or refute a reported issue, see the following question.


Q: Can you provide me with instructions or exploit code to verify the existence of a security issue?

A: No. X-Force does not disclose exploit or proof of concept code, since the release of such information could increase the likelihood of malicious activity related to the vulnerability.


Q: How can I get ISS to publish a security vulnerability that I found?

A: X-Force does not accept unsolicited or undisclosed information concerning security vulnerabilities. You should attempt to work with the creator of the affected product to arrive at a resolution, and then publish your results on one of several vulnerability disclosure mailing lists.


Q: How often do you update your database?

A: A team of X-Force researchers documents and updates security issues around the clock. Changes appear on the Web site minutes after they are made.


Q: How can I be notified when you add or change information in the X-Force database?

A: There are a variety of methods for staying up to date with additions and notifications about security issues in the database. X-Force RSS feeds -- X-Force Blog and Internet Threat Information Center on the ISS Homepage at http:www.iss.net. You can also subscribe to the X-Force Threat Analysis Service and receive breaking information immediately.


Q: I see something I don't think is a security issue. Why is it in your database?

A: The X-Force database is a repository for issues directly and indirectly related to computer security, such as configuration settings, product-related status messages, and security audit checks included in many different security products. Because IBM ISS customers use the database to obtain more information about their products, there are a few instances where a Web page may not make sense outside of the context of the IBM ISS product.


Q: My ISS product references a security record that I cannot access to link to in the database. Is the link broken?

A: ISS often updates our products to provide our customers with protection against vulnerabilities that are not yet publicly known security issues. When X-Force discovers a vulnerability within a product, we follow specific vulnerability disclosure guidelines that include contacting the vendor and coordinating the public release of the vulnerability information to allow them time to develop a fix. We consider this the responsible approach to vulnerability disclosure. In these cases, we may update our products for the issue prior to public announcement of the vulnerability, but the database record will remain private until the public release.

X-Force Database content

Q: What do the cryptic term and number at the top of the page mean?

A: The cryptic term is an ISS Tag Name and the number is the X-Force ID (XFID): The ISS Tag Name is a terse term usable by software and people to uniquely refer to the security issue. For example, the tag name for the issue at http://xforce.iss.net/xforce/xfdb/3171 is amd-bo. Researchers make up the tag name using keywords relating to the security issue, typically including the affected item and other distinguishing characteristics. The tag name is used in ISS products, and is also frequently used by researchers to reference the security issue. The XFID is a number used to uniquely refer to the security issue. For example, the XFID for the issue at http://xforce.iss.net/xforce/xfdb/3171 is 3171. This number is automatically assigned by the X-Force Database when the researcher enters information about the security issue.


Q: What do the Risk Levels for each security issue denote?

A: X-Force assigns risk levels to each security issue to describe the extent of damage that could be caused by a specific security issue. There are three possible risk levels. High: Security issues that allow immediate remote or local access, or immediate execution of code or commands, with unauthorized privileges. Medium: Security issues that have the potential of granting access or allowing code execution by means of complex or lengthy exploit procedures, or low risk issues applied to major Internet components. Low: Security issues that deny service or provide non-system information that could be used to formulate structured attacks on a target, but not directly gain unauthorized access.


Q: How does X-Force determine which systems are affected by a particular security issue?

A: X-Force researchers systematically collect and read vulnerability disclosure reports, affected products' advisories and Web sites, follow up messages, and other information to compile a list of affected platforms. Information regarding affected platforms and remedies often changes as new information appears and more vendors report whether their systems are vulnerable. For some high-priority issues, X-Force does independent testing to confirm which versions are and are not vulnerable.


Q: Why don't you include links to specific vendor patches in the Remedy section?

A: We believe that maintenance of appropriate vendor patches is best handled on the vendor Web site itself. Vendors often update or replace certain patches over time, and we do not have the ability to monitor multiple patch updates for thousands of issues in the X-Force Database. Further, many times patch download URLs are not specific to a particular patch, but rather direct you to a general download site on the vendor's Web site. For these reasons, we supply links to the vendor's Web site, but not to the specific patch downloads.


Q: What are the Consequences and what do they signify?

A: Consequences are ranked from most severe to least severe. Gain Access-An attacker can obtain local and/or remote access. Gain Privileges-Privileges can be gained on the local system. Bypass Security-An attacker can bypass, change, or disable security mechanisms. File Manipulation-An attacker can create, delete, read, modify, corrupt or overwrite files. Data Manipulation-An attacker can modify or corrupt data streams. Obtain Information-An attacker can obtain information such as file and path names, source code, passwords, banners or server configuration details. Denial of Service-An attacker can crash or hang a service or system or take down a network. Configuration-A system utility was installed or executed with incorrect or insecure setup parameters or in the wrong place. Informational-Incidental data that does not correlate with more severe categories. Other-Used when none of the other consequences apply. None-Used for non-security checks that don't have significant effects.


Q: What are References? Why don't some of the links for the references work?

A: References are any Internet-based file that provides supporting or additional information about the security issue. References include a brief description of the reference, the exact title (including any spelling errors made by the author), and the URL or Web address to the reference. The nature of the Internet means that at times some references may not be available. The computer or network may be unavailable, the file may have been moved or deleted, or the file or page has been replaced by something else. If you believe a reference is incorrect, please use the corrections or additions link at the bottom of each X-Force database Web page to let us know.


Q: What is a Standard? What do the CVE and BID terms mean?

A: Standards are common names used by security researchers to refer to specific security issues. The most common standards are: CVE - The MITRE CVE (Common Vulnerabilities and Exposures) project (http://cve.mitre.org/about/) defines standard names for security issues. For more information about the CVE project, please see the MITRE CVE Questions section of this FAQ. BID - The BugTraq ID provides a reference to public vulnerability information. More information is available at http://www.securityfocus.com/bid.


Q: What date does the "Reported Date" information signify?

A: This date is the earliest documented public disclosure X-Force can locate for this security issue. The reported date may not be available for audit or product-related auditing issues, or it may be set to the date that product featured this issue.


Q: I'd like to see X-Force display additional information within the database. Is this possible?

A: ISS always encourages customers to let us know what other information you might need. If you have a suggestion for additional information having to do with a security issue, or if you have an improvement for the wording of a specific issue, please send us a message from the X-Force Web Form.


Q: What criteria are used to designate an application as Spyware or Riskware?

A: ISS defines Spyware or Riskware as software that has ANY of the following attributes: Presence of analysis and tracking activities; No reasonable means of gaining user consent for the application to be installed and run; Unreasonably high memory, CPU or general resource usage; Application causes the user's machine to be unstable; Application grouped as Spyware or Riskware within other commercial or industry recognized security organizations.

Feedback, updates and disputes

Q: I have a question about a security issue in your database.

A: Great! If you have a question about a specific security issue, please use the corrections or additions link at the bottom of each X-Force database Web page to let us know.


Q: I'd like to know how to fix a product you have listed in your database.

A: The Remedy section for each security issue often provides instructions on how to fix a vulnerable product. For all third party products, you should contact the manufacturer or reseller of the product for detailed information or instructions.


Q: I have new information or changes I'd like you to consider for an issue in your database or I have verified that some data I see in the database is incorrect.

A: You can use the corrections or additions link at the bottom of each X-Force database Web page to provide us with additional information concerning a specific security issue, or you can send us a message using the form. Remember to provide a reference to the security issue along with your comments. Provide as many details as you can, such as the following information: Typographical or clerical errors; Incomplete list of affected platforms, references, or standards; Incomplete or incorrect remedy. X-Force cannot change the following information unless it violates our selection criteria: Risk level; Consequences.


Q: I own a product you claim has a security issue. How can I get you to remove it?

A: You can use the corrections or additions link at the bottom of the specific X-Force database Web page that affects your product. To expedite research, please include either the reference to a public declaration that the issue is false (such as a rebuttal reply in a mailing list) or enough evidence for X-Force researchers to determine that the issue is not valid. We can only remove security issues when there is proof that the issue was never legitimate. We cannot remove a security issue if it was valid for a previous or current version, even if a patch or fix is available.


Q: How can I get you to display my name for discovering a vulnerability?

A: While X-Force records the names of discoverers in our database, this information is not publicly displayable for privacy reasons.

Copyright issues

Q: I would like to reference your database content. Is there a way to legally do this?

A: While it is permissible to link to content in the X-Force database, you should consult the Terms of Use for details on what you can and cannot do. If you want to use X-Force database content in your product or on your Web site, see the next question.


Q: I would like to use your database in my product or on my Web site. How can I do that?

A: Apply to become an IBM Business Partner. Please e-mail us using this secure, online contact form. Please include both your contact information and a description of your desired use of the database information. You may also call us at 1-800-776-2362 for more information. The IBM ISS business development team will contact you regarding licensing terms and pricing.

MITRE CVE questions

Q: What is CVE?

A: The Common Vulnerabilities and Exposures (CVE) project standardizes names for security problems. More information on the CVE project is available at http://cve.mitre.org/about/.


Q: What is a CVE name?

A: A CVE name is a standardized label for a specific security issue.


Q: Where are CVE names used?

A: CVE names are often displayed on a vendor's security advisory, in the report from a security product, or a finder's vulnerability disclosure report. For example, a vendor may refer to the security issue as CVE-2007-0000.


Q: What do you mean by "The X-Force Database is CVE compatible"?

A: IBM X-Force is one of the founding members of CVE, and has supported this project since its inception in 1998. X-Force publications and data include CVE names, provide search capabilities, and document our processes for using and updating CVE names, in accordance with the requirements and recommendations put forth by the CVE project.


Q: What's your timeframe for updating CVE names to reflect a newly released CVE version?

A: The X-Force database team updates new CVE candidates daily. Upon notification of a new CVE version, X-Force updates CVE names in the X-Force database hours to days after the list of CVE names is available, depending on the size of the list.


Q: How up-to-date is X-Force with CVE?

A: X-Force strives to maintain complete alignment with the public CVE names. The current CVE version the X-Force database is supporting is 20061101, in addition to CVE candidate names that are being updated daily.


Q: Where do you display CVE names?

A: In the X-Force database, CVE names appear in the section titled "References". This section appears near the bottom of each Web page. If there are any CVE names for this security issue, they are listed in alphabetical order.


Q: How do I use a CVE name to find a security issue?

A: There are many ways you can find a security issue in the X-Force database given its CVE name. X-Force provides a search engine where you can enter the CVE name (in this example, CVE-2007-0000) and search the X-Force database. Hint: Sometimes you may be more successful at finding CVE names if you omit the CVE or CAN prefix in the ISS search engine. For example, use "-2007-0000" instead of "CVE-2007-0000". You can use a Web address that follows these examples: http://xforce.iss.net/xforce/search.php?type=2&pattern=CVE-2007-0000; http://xforce.iss.net/xforce/search.php?type=2&pattern=2007-0000. You can use your favorite search engine to find the CVE name in the X-Force database.


Q: Does X-Force use CVE candidates, reserved CVE names, or rejected CVE names?

A: Yes, mostly. To assist our customers in finding valid security issues that have CVE names, X-Force uses all CVE names when we verify an association between a security issue and a CVE name. Here's how we treat these special CVE names: CVE candidates - These are CVE names that have not yet been approved by the CVE reviewers. If X-Force learns of a valid security issue using a credible CVE candidate name, we will include it in the X-Force database. Reserved CVEs - Vendors and researchers may reserve a CVE name prior to the public disclosure of a security issue. At the time of public disclosure, it may take a few days for the CVE Web site to display the final description of the issue. Rejected CVEs - The CVE project occasionally rejects CVE names. X-Force documents and displays rejected CVE names to provide customers with complete information should they refer to an issue using the rejected CVE name.