If you get dinged by a scanning service, such as Qualys, you can go to the subject line site at: https://www.ibm.com/support/pages/bulletin/search/
Once there you paste in the CVE. Let's use CVE-2023-51385 as an example. If the CVE exists on an IBM product, and IBM has a fix available for it, it MAY be listed here.
If you do not see it there, you can use the link below called "Report Security Issue". This goes to Product Security Incident Response Team (PSIRT). Opening a case like you normally do with IBM i is one way. I have done this. Actually a few times lately. PSIRT will reply in a few ways. If they know of a fix that you missed finding they will reply with said fix. If the CVE has not been addressed on the item in question you will receive something like "we cannot confirm or deny that there is such a vulnerability". I've received my fair share of these recently also. For example, a CVE was addressed in HMC 10 but not in 11. And, since the CVE was addressed after 11 came out you'd be a fool to assume it was just part of 11.
Sometimes the CVE has been addressed but the PSIRT has not put it on the subject line website yet. Like the CVE listed in the latest version of Power 11 firmware. You can plainly see that in the readme for that level of the firmware.
So search:
I have received acknowledgement that one of the CVEs I'm looking for was reported to PSIRT 11 months earlier. (CVSS = 7.5) It's one of those "I cannot confirm or deny..." ones.
You can also signup for notifications of when fixes for CVEs are made available at: https://www.ibm.com/support/mynotifications
------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne
------------------------------