“Websphere Portal (previously owned by IBM) was sold off to HCL Technologies in 2019 and rebranded as HCL DX. Reporting the issues to HCL technologies was a very painful experience. During the process of co-ordinated disclosure, HCL technologies started threatening the researcher and their company that “HCL technologies will cite you as in irresponsible vulnerability disclosure party to the communities that we post to”. Throughout the process of reporting the issues, they refused to acknowledge the vulnerabilities as being valid, until they were published in a blog post.
After being called out on their behavior in the blog post, with evidence of the bugs, they quickly changed their stance on the issue and finally issued advisories after being approached by the media (The Daily Swig). When asked for a comment: Brian Blackshaw, director of PSIRT Operations at HCL Software, told The Daily Swig: “It’s our policy to disclose as soon as remediation/mitigation is available.”
Websphere Portal is used by thousands of enterprises and extremely popular in the government industry particularly. The vulnerabilities were pre-authentication and allowed attackers to request arbitrary URLs on behalf of the server.
https://portswigger.net/daily-swig/hcl-technologies-patches-serious-vulnerabilities-in-hcl-dx”