Believe it or not, there are still researchers out there, who just want to do the right thing, and report critical vulnerabilities privately, without looking for compensation. Unfortunately this doesn’t quite work with bureaucracies, like IBM. When Pedro Ribeiro first tried to inform them about a pre-auth remote root exploit in Data Risk Manager (oh, the irony!), Big Blue neglected the report, because the paperwork wasn’t right: Ribeiro reported via CERT/CC, not HackerOne. On the second try, IBM closed the issue as out-of-scope, because the affected product is only available to customers with enhanced support. Fortunately, a well deserved 0-day drop put IBM in the right direction, and after just a little more than two weeks, even their enhanced support customers could enjoy the benefits of the patch.