My issue with the entire process is that the ENVIRONMENT/EXPOSURE information is hard to come by. The information provided by the security portal is by FMID, not an English description (e.g. IBM HTTP SERVER REL x.x.).
Makes it relatively difficult to determine if this is REALLY REALLY critical to me, or just something to be included in my "normal" maintenance stream. <snip> Strangely enough the only thing I found to complain about in this incident was the private notifications by phone/email to (in our case and I expect a non-trivial percentage) incorrect management contacts for the corporation on a holiday week. These notifications provided details including APAR numbers and descriptions which by policy IBM does not make visible in IBMLink and resulted in a great deal of stump pounding and wasted time but did not actually tell us anything we did not already get notified of through automated email by previously having followed the documented procedure. The notice which I expect was inconsistent being made by many different IBM'ers and on a holiday week in much of the world generated frustration at some sites including mine. IBM has been advertising that customers should sign-up for the Security Portal for some time in public including at SHARE and z University. I am signed up and get email notifications when new alerts and files are posted. It works. The recent arrival of an APAR with a higher than previously seen CVSS score triggered activity that was not the expected procedure. My only questions to IBM on this will be what the procedure is and has it changed. My feeling was that someone called an audible. If there is a procedure to proactively contact sites when Alerts with a CVSS score higher than n are posted I would like to know this and have the opportunity to maintain our contact preference for that in ResourceLink. If there is to be a notification I would prefer it to have been simply "IBM has recently posted important security patches for z/OS please verify that your company has signed up for the System z Security Portal and reviewed them". Perhaps the separate approval process for the security portal could be eliminated or streamlined and simply allow any SR/ResourceLink user with access to a current entitlement to view the alerts for those entitlements. I don't know if that is feasible but I do recall that not that many years ago we had nothing there was no way to find out what the APARs/PTFs were other than by bumping into them. So evolution here is possible. The portal provides HOLDDATA/SOURCEID to allow you to check on missing Security and Integrity fixes on a regular basis and to verify that as part of your preventative service you have included all the current fixes if you wish to do so. It works. It insures that only authenticated customers can easily get the list of security and integrity fixes which is an interesting starting point for someone trying to engineer an exploit. .....Remainder snipped </snip) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN