BMC welcomes input on potential vulnerabilities from its customers, field personnel and partners, and via researchers from the security community.
To improve overall product security and reduce the risk to any customer's environment, our team follows a formal escalation process for vulnerability disclosure regardless of their source (researcher, customer, internal QA team, or others). Based on the severity of the vulnerability, it is routed through senior management, remediated by the relevant product development team, and communicated to affected customers.
Submit vulnerability. If you are a BMC customer, follow your established support process to report security vulnerabilities as you would any other concern. Following the customer support process will help us prioritize your report and understand its context.
If you are an external researcher or anyone else with no access to BMC support and discover a security issue related to a BMC website or hosted service, please contact our IT security team at firstname.lastname@example.org.
If you are an external researcher or anyone else with no access to BMC support and discover a security issue related to a BMC product, please contact our Product Security Group at email@example.com. If the content of your communication is sensitive, please encrypt your email using our PGP key. The PGP fingerprint is: A921B4428D8C9988A29BA5BBE398A5B819611C7E
You can download this PGP key.
If you do not trust the integrity of this website please email us at firstname.lastname@example.org with a phone number where you can be reached and we will provide the fingerprint verbally.
To expedite handling of the vulnerability please include:
- Contact details (name, email, phone number)
- BMC product name (e.g. TrueSight Server Automation)
- BMC product version (preferably the full version and patch level, e.g. v.9.8.01 SP1)
- Detailed description of the vulnerability with steps to reproduce its discovery
- Detailed steps to exploit the vulnerability (if available)
- Assess impact. The application security team reviews the submitted data with the appropriate development team to assess the vulnerability’s impact and produce an internal severity rating.
- Determine what fix is required. The development team attempts to reproduce the issue submitted and assesses the effort and resources required to fix the vulnerability or to provide a workaround. They determine when the fix will be released based on the severity rating, the resources required, and the release lifecycle of the product.
- Maintain communication. The application security team maintains open communication with the submitter until a fix or workaround is available.
- Document and communicate fix. The development team sends a technical bulletin to all customers of the affected product, notifying them of the vulnerability and the availability of a fix or a workaround.
- Give credit where credit is due. Credit will be given to the submitter upon request.
Our incident management procedure enables swift response to any potential incident. This procedure covers emergency incidents, escalation, and public vulnerability disclosure. BMC’s practices include a procedure for documenting the incident in detail and producing a report for future reference or management’s attention.