Report an Issue

To determine whether a product is in support, please see the BlackBerry Software Support Lifecycle.

BlackBerry Coordinated Vulnerability Disclosure Policy

BlackBerry is committed to the continuous improvement of the security of its products and strives to proactively identify and remove potential vulnerabilities before products are released to market and we work collaboratively with customers who discover and report vulnerabilities to BlackBerry in order to remediate those vulnerabilities.

BlackBerry recognizes and values the importance of community contributions from researchers and other finders. To partner effectively with these contributors, we documented this BlackBerry Coordinated Vulnerability Disclosure Policy to promote collaboration and external party vulnerability reporting.

Key takeaways for this policy include:

• The vulnerability reporting process includes currently supported products. 

• BlackBerry will work in good faith with security researchers who test and submit vulnerabilities according to a few standard guidelines.

• BlackBerry’s Product Security Incident Response Team (BBPSIRT) will work with you to determine the best avenue for coordinated disclosure of the vulnerability

• In cases of failure to comply with the BlackBerry Coordinated Vulnerability Disclosure Policy and all applicable laws, BlackBerry reserves the right to pursue all applicable remedies.

Scope

The vulnerability reporting process includes products currently supported by BlackBerry and its subsidiaries, as well as our website.

To determine whether a BlackBerry product is supported, please see the BlackBerry Software Support Lifecycle.

Who Should Read This Policy?

This policy should be read by all security researchers and finders who test and submit vulnerabilities in BlackBerry supported products or BlackBerry websites. 

What We Expect of You

We are willing to work in good faith with security researchers who test and submit vulnerabilities according to the following guidelines.

BlackBerry fully supports security testing that: 

• Is conducted in a manner that protects the security and privacy of all of our customers and partners
• Complies with integrity concerning all applicable laws and regulations around security testing activities
• Respects and adheres to its existing agreements with BlackBerry and contractual provisions that address BlackBerry’s intellectual property rights
• Perform research only within the scope defined in this policy
• Provide BlackBerry with full details of the security issue at the time of disclosure
• Give BlackBerry the opportunity to take corrective action before publicly disclosing the vulnerability or disclosing it to other third parties 

How to Submit a Vulnerability

If you suspect you have discovered a security vulnerability in a BlackBerry product or website, please let us know by filling out the form below.

When submitting a vulnerability, please provide full details.

This includes:

• the name, version, and configuration details of the affected product,
• names of all researchers that were involved with the discovery of the vulnerability,
• a description of the vulnerability and the environment with which it was discovered,
• detailed steps to reproduce the vulnerability, and
• screenshots or video to demonstrate Proof of Concept (POC)

What You Can Expect BBPSIRT to Do

 The BlackBerry Product Security Incident Response Team (BBPSIRT) will:

• Within 3 North American business days, acknowledge your report, open a case within our case management system, and assign a Case Manager to track the investigation,
• Fully investigate the first instance of a report of a unique vulnerability in a currently supported BlackBerry product or the website,
• Validate the reported vulnerability. You may be contacted to provide additional information at this stage,
• Communicate with you, through the Case Manager, to confirm the existence of the vulnerability and, if applicable, the associated plan for remediation,
• Upon remediation of the vulnerability, communicate the details to you, and
  
• Publicly acknowledge you on our website. The BBPSIRT will credit the researcher(s) listed in the initial report or the researcher(s) who the BBPSIRT directly works with to resolve the vulnerability.

BBPSIRT Coordinated Disclosure and Vulnerability Publication

The BBPSIRT issues security advisories for supported BlackBerry products. The BBPSIRT will work with you to determine the best avenue for coordinated disclosure of the vulnerability, which may include issuing a security advisory for supported BlackBerry products. Security advisories are published on our website.

Advisories are published once supported versions of products have released software updates with the vulnerability remediated. For certain products, such as the QNX® RTOS, a private advisory will be shipped to our customers in advance of the advisory being published on our website. This is to ensure that customers utilizing those products have the opportunity to incorporate our vulnerability fixes and issue their own software maintenance releases. This version of this policy supersedes all previous versions. All aspects of this policy are subject to change without notice, as well as for case-by-case exceptions. BlackBerry will make every attempt to coordinate all levels of engagement but cannot guarantee a particular level of response.

Legal Disclaimer

BlackBerry takes seriously its obligations to ensure that its products are secure and recognizes and welcomes the tremendous value that the security research community brings to these efforts, and will always seek to act in good faith with anyone who reports vulnerabilities pursuant to BlackBerry established guidelines and the BlackBerry Coordinated Vulnerability Disclosure Policy. 

At all times while performing security research activities in relation to BlackBerry products and services, including when submitting a BlackBerry Security Vulnerability Report, you must comply with the BlackBerry Coordinated Vulnerability Disclosure Policy and all applicable laws. If required and/or upon investigation by BlackBerry, we have determined that you have failed to comply with this policy or any applicable law, BlackBerry reserves the right to pursue all applicable remedies, including those under applicable civil and/or criminal law depending on the jurisdiction.

BlackBerry further reserves the right to update this policy from time to time without notice to ensure that it remains relevant and current with changing technologies, applicable laws, and BlackBerry business practices.

BlackBerry takes all vulnerability reports seriously and investigates each one individually. However, to fully investigate your report, we need complete details and a Proof of Concept (PoC) for the vulnerability:

• the name, version and configuration details of the affected BlackBerry product or BlackBerry-owned website
• a complete and clear description of the vulnerability and the environment with which it was discovered
• detailed steps to reproduce the vulnerability
• screenshots or video to demonstrate POC