It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×11,991
×383
×22

question asked: Aug 14 '13, 11:09 a.m.
question was seen: 4,621 times
last updated: Aug 14 '13, 11:14 a.m.

Related questions

JazzHub Password reset e-mail?

0
Scott Rich (57136) | asked Aug 14 '13, 11:09 a.m.
JAZZ DEVELOPER
I just received an e-mail asking me to change my JazzHub password.  What's that about?

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Scott Rich (57136) | answered Aug 14 '13, 11:11 a.m.
JAZZ DEVELOPER
edited Aug 14 '13, 11:14 a.m.
On Monday morning, a member of the IBM Jazz team uncovered a potential security vulnerability at our JazzHub site.  The vulnerability was a theoretical one, and there is no evidence that the vulnerability was ever exploited. However, because we take the security of our systems very seriously, we took the affected systems down and treated them as though they had been compromised.

In response to the vulnerability, we took the following steps:
  • As soon as the exposure was confirmed, we disabled the affected function
  • Yesterday, we developed a patch for the vulnerability.
  • During our maintenance outage last night, we:
    • Re-provisioned the operating system images.
    • Installed the patched software to eliminate the vulnerability
    • Identified the subset of JazzHub users whose jazz.net passwords could have been compromised, reset their passwords and sent them the note you received asking them to establish new passwords.

In addition to the above, we are continuing with our penetration testing (which happened to be under way at the time the exposure was found), and we will continue with our regular periodic ethical hacking tests.

Again, to be clear, there is no evidence that the exposure was exploited, that any systems were compromised, nor that any personal information was actually exposed.  We took the above steps out of an abundance of caution. And it proved to be a good test of our security contingency plans.

This is a good opportunity to remind all jazz.net, including JazzHub, users to use strong passwords, to change them periodically, and to use distinct passwords for different accounts.  This will prevent the possible compromise of multiple accounts if one of your passwords is ever stolen.

We would also like to remind our community that if you discover a security vulnerability at JazzHub or suspect one, please send email to hub_security@jazz.net.  We will then work with you directly to understand the issue and address it.  Responsibly reporting these kinds of issues to our security team will help to keep JazzHub secure for all our user community.

Thanks for being a part of the JazzHub community.

Scott Rich
JazzHub Lead Architect

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.