Report an Issue

The BlackBerry Security Incident Response Team (BBSIRT) responds to and investigates reports of security vulnerabilities in BlackBerry products.

If you suspect you have discovered a security vulnerability in a supported BlackBerry product, please let us know by filling out the form below.

Before you report a security vulnerability, please review the following checklist.

A security vulnerability can be generally defined as a flaw in software code that would allow a malicious user to gain access to information or capabilities that they should not have access to. Many problems that appear to be security-related are not actually caused by a vulnerability in a supported BlackBerry product.

You can find answers to common scenarios below. If you find the answer here, you don’t need to submit a security issue.

If you have reviewed the information above and determined that the issues you are having with your BlackBerry product are not related to a security vulnerability, BlackBerry provides the following self-service options to assist you: 

Depending on which BlackBerry product you are experiencing issues with and its support status, additional self-service or full-service support options may be available. Please access the BlackBerry contact catalog and select the Technical Support Inquiry Type, and then the most appropriate option from the Product/Inquiry Group (e.g., Enterprise, Smartphones, IoT, etc.). Complete the form to determine the available self- and full-service options.

 

To determine whether a product is in support, please see the BlackBerry Software Support Lifecycle.

BlackBerry Coordinated Vulnerability Disclosure Policy

BlackBerry is committed to the continuous improvement of the security of its products and strives to proactively identify and remove potential vulnerabilities before products are released to market and we work collaboratively with customers who discover and report vulnerabilities to BlackBerry in order to remediate those vulnerabilities.

BlackBerry recognizes and values the important security researcher community contributions. To partner effectively with the research community, we documented this BlackBerry Coordinated Vulnerability Disclosure Policy to promote collaboration and external party vulnerability reporting.

Scope

The vulnerability reporting process includes products currently supported by BlackBerry and its subsidiaries, as well as our website.

To determine whether a BlackBerry product is supported, please see the BlackBerry Software Support Lifecycle.

What We Expect of You

We are willing to work in good faith with security researchers who test and submit vulnerabilities according to the following guidelines.

BlackBerry fully supports security testing that: 

  • Is conducted in a manner that protects the security and privacy of all of our customers and partners
  • Complies with integrity concerning all applicable laws and regulations around security testing activities
  • Respects and adheres to its existing agreements with BlackBerry and contractual provisions that address BlackBerry’s intellectual property rights
  • Perform research only within the scope defined in this policy
  • Provide BlackBerry with full details of the security issue at the time of disclosure
  • Give BlackBerry the opportunity to correct a vulnerability before publicly disclosing it 

How to Submit a Vulnerability

If you suspect you have discovered a security vulnerability in a BlackBerry product or website, please let us know by filling out the form below.

When submitting a vulnerability, please provide full details.

This includes:

  • the name, version and configuration details of the affected product
  • names of all researchers that were involved with the discovery of the vulnerability
  • a description of the vulnerability and the environment with which it was discovered
  • detailed steps to reproduce the vulnerability
  • screenshots or video to demonstrate Proof of Concept (POC)

What You Can Expect BBSIRT to Do

Within 3 North American business days, the BlackBerry Security Incident Response Team (BBSIRT) will:

  • Acknowledge your report, open a case within our case management system, and assign a case manager to track the investigation
  • Fully investigate the first instance of a report of a unique vulnerability
  • Validate the reported vulnerability. You may be contacted to provide additional information at this stage
  • Communicate with you, through the Case Manager, to confirm the existence of the vulnerability and, if applicable, the associated plan for remediation
  • Upon remediation of the vulnerability, communicate the details to you
  • Publicly acknowledge you on our website. BBSIRT will credit the researcher(s) listed in the initial report or that BBSIRT directly works with to resolve the vulnerability

BBSIRT Coordinated Disclosure and Vulnerability Publication

The BBSIRT issues security advisories for supported BlackBerry products. The BBSIRT will work with you to determine the best avenue for coordinated disclosure of the vulnerability, which may include issuing a security advisory for supported BlackBerry products. Security advisories are published on our website.

All aspects of this policy are subject to change without notice, as well as for case-by-case exceptions. BlackBerry will make every attempt to coordinate all levels of engagement but cannot guarantee a particular level of response.

 

Legal Disclaimer

BlackBerry takes seriously its obligations to ensure that its products are secure and recognizes and welcomes the tremendous value that the security research community brings to these efforts and will always seek to act in good faith with anyone who reports vulnerabilities pursuant to BlackBerry established guidelines and the BlackBerry Coordinated Vulnerability Disclosure Policy

At all times while performing security research activities in relation to BlackBerry products and services, including when submitting a BlackBerry Security Vulnerability Report, you must comply with the BlackBerry Coordinated Vulnerability Disclosure Policy and all applicable laws. If required and/or upon investigation by BlackBerry, we have determined that you have failed to comply with this policy or any applicable law, BlackBerry reserves the right to pursue all applicable remedies including those under applicable civil and/or criminal law depending on the jurisdiction.

BlackBerry further reserves the right to update this policy from time to time without notice to ensure that it remains relevant and current with changing technologies, applicable laws and BlackBerry business practices.

 

BlackBerry takes all vulnerability reports seriously and investigates each one individually. However, to fully investigate your report, we need complete details and a Proof of Concept (PoC) for the vulnerability:

  • the name, version and configuration details of the affected BlackBerry product or BlackBerry-owned website
  • a complete and clear description of the vulnerability and the environment with which it was discovered
  • detailed steps to reproduce the vulnerability
  • screenshots or video to demonstrate POC
I have read the checklist above and have a security vulnerability to report to BlackBerry.

Security researchers who wish to submit their vulnerability through a secure channel should contact BBSIRT via secure@blackberry.com using our our PGP public key. Researchers can also email us for access to a BlackBerry Workspaces location.

Security researchers who wish to submit a vulnerability in a QNX product or service should click here for further information.

*Indicates a required field

Add POC File