IBM uses various methods to communicate security vulnerability information to customers. The company uses Security Bulletins when publicly disclosing security vulnerabilities discovered in IBM offerings and leverages alternative tools and processes, where appropriate (i.e., for System z, managed and cloud-based services), for more targeted and discrete communications with entitled customers. When IBM publishes a Security Bulletin, the company intends to provide vulnerability information in it that is similar to the content specified in the Common Vulnerability Reporting Framework (CVRF) (link resides outside of ibm.com). IBM does not intend to provide vulnerability details that could enable someone to craft an exploit.

IBM intends to use the Common Vulnerability Scoring System (CVSS) (link resides outside of ibm.com) as a standard for communicating the impact of security vulnerabilities in IBM products and solutions. CVSS is an industry open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS 'score' is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments.

When, and where applicable, future IBM Security Bulletins will provide the CVSS Base Score and the vector for each vulnerability, a reference to the assigned Common Vulnerabilities and Exposures (link resides outside of ibm.com) identifier, remediation for the affected offering(s) and other relevant links that may cover additional information.