IBM responded quickly and proactively to seeing the original HITB abstract (they contacted me). They asked smart questions and got a patch out for NVAS quickly. It was a somewhat uncomfortable conversation, over email only, as I believe their legal team "contributed" to each mail. However, the patch and knowledge of the issue is only available to active NVAS customers (not wider System Z customers) and no fixes exist for the wider issue. IBM take a stance of not publicizing new vulnerabilities beyond a need to know group. There's some merit to this and it clearly limits the sorts of public scrutiny and tool development other applications see (there are nearly no Metasploit modules for System Z despite its long life and critical use within its install base for eg). However, within 45 mins of hypothesizing it, I was able to find and implement tools to exploit a family of vulnerabilities within the 30yr old TN3270 protocol, that likely affects nearly every app exposed via that protocol. This includes apps run in CICS, IMS, REXX etc. That's pretty significant, and there's no patch for it (that I can see or IBM can point customers to at the time of publication) beyond fixing each vulnerable app individually. I'm pretty confident that nearly no one, as a tourist to Windows or Facebook systems (for eg), would achieve anything so damaging in the same timeframe against those systems. Especially not critical protocols that had been in use for over 30 years. So what's the difference? My belief is that it's the approach; by discouraging a wider understanding of security issues and inhibiting offensive innovation within mainframes, IBM has landed themselves in the situation where enterprise mainframe apps are more vulnerable than their web app counterparts. Other apps have been exposed to full disclosure and used those issues to direct security teams. Note, the subtly here is not that IBM doesn't have smart security people, but rather that they may not have had their focus sharpened by external research in the way someone like Microsoft did. This approach seems to be the best we have at the moment, characterized by the movement towards bug bounties. As a final point, IBM may have listened to their customers on security up till now. But it's been at the expense of ignoring security researchers. It may come to a point soon where they need to take a smart stance, even if it's in opposition to customers, to enhance the security of their platform.