BlackBerry Coordinated Vulnerability Disclosure Policy

BlackBerry is committed to the continuous improvement of the security of its products and strives to proactively identify and remove potential vulnerabilities before our products are released to the market.

However, despite our best efforts, vulnerabilities will infrequently occur in our products and websites. We recognize and work collaboratively with finders who discover and report them to BlackBerry so we can remediate those vulnerabilities.

To partner effectively with these contributors, we documented this BlackBerry Coordinated Vulnerability Disclosure Policy to promote collaboration and external party vulnerability reporting.

Key takeaways for this policy include:

  • The vulnerability reporting process includes currently supported products.
  • BlackBerry will work in good faith with finders who test and submit vulnerabilities according to a few standard guidelines.
  • BlackBerry’s Product Security Incident Response Team (BBPSIRT) will work with finders to determine a path for coordinated disclosure of the vulnerability.
  • In cases of failure to comply with the BlackBerry Coordinated Vulnerability Disclosure Policy and all applicable laws, BlackBerry reserves the right to pursue all applicable remedies.
     

Scope

The vulnerability reporting process includes products currently supported by BlackBerry, our subsidiaries, and our website.

To determine whether a BlackBerry product is supported, please see the BlackBerry Software Support Lifecycle.
 

Who Should Read This Policy?

This policy should be read by all finders who discover, test, and submit vulnerabilities in BlackBerry-supported products or BlackBerry websites. 
 

What We Expect of Finders

We will work in good faith with finders who test and submit vulnerabilities according to the following guidelines.

BlackBerry fully supports security testing that: 

  • Is conducted in a manner that protects the security and privacy of all of our customers and partners
  • Complies with integrity concerning all applicable laws and regulations around security testing activities
  • Respects and adheres to its existing agreements with BlackBerry and contractual provisions that address BlackBerry’s intellectual property rights
  • Performs research only within the scope defined in this policy
  • Provides BlackBerry with full details of the security issue at the time of disclosure
  • Allows BlackBerry the opportunity to take corrective action before publicly disclosing the vulnerability or disclosing it to other third parties 
     

How to Submit a Vulnerability

If you suspect you have discovered a security vulnerability in a BlackBerry product or website, please let us know by contacting the BlackBerry PSIRT (BBPSIRT) at secure@blackberry.com.

When submitting a vulnerability, please provide full details.

This includes:

  • The name, version, and configuration details of the affected product,
  • The names of all finders that were involved with the discovery of the vulnerability,
  • A description of the vulnerability and the environment with which it was discovered,
  • Detailed steps to reproduce the vulnerability, and
  • Screenshots or video to demonstrate Proof of Concept (PoC)
     

What Finders Can Expect the BBPSIRT To Do

 The BBPSIRT will:

  • Within 3 North American business days, acknowledge the finder's report, open a case within our case management system, and assign a Case Manager to track the investigation
  • Fully investigate the first instance of a report of a unique vulnerability in a currently supported BlackBerry product or website
  • Validate the reported vulnerability. We may contact the finder to provide additional information at this stage
  • Communicate with the finder, through the Case Manager, to confirm the existence of the vulnerability and, if applicable, the associated plan for remediation
  • Upon remediation of the vulnerability, communicate the details to the finder, and
  • Publicly acknowledge the finder on our website. The BBPSIRT will credit the finder(s) listed in the initial report or the finder(s) with whom the BBPSIRT directly works to resolve the vulnerability.
     

BBPSIRT Coordinated Disclosure and Vulnerability Publication

The BBPSIRT issues security advisories for supported BlackBerry products and will work with finders to determine the best avenue for coordinated disclosure of the vulnerability, which may include issuing a security advisory for supported BlackBerry products. Security advisories are released publicly and published on our website.

Advisories are published once supported versions of products have released software updates with the vulnerability remediated. For certain products, such as the QNX® RTOS, a private advisory will be given to our customers before the advisory is shared publicly and is published on our website. This is to ensure that customers utilizing those products have the opportunity to incorporate our vulnerability fixes into their software and issue their own software maintenance releases.

Legal Disclaimer

BlackBerry takes its obligations to ensure that its products are secure seriously and recognizes and welcomes the tremendous value that the security research community brings to these efforts, and will always seek to act in good faith with anyone who reports vulnerabilities according to BlackBerry's established guidelines and the BlackBerry Coordinated Vulnerability Disclosure Policy

While performing security research activities in relation to BlackBerry products and services, including when submitting a BlackBerry Security Vulnerability Report, you must comply with the BlackBerry Coordinated Vulnerability Disclosure Policy and all applicable laws. If required and/or upon investigation by BlackBerry, we have determined that you have failed to comply with this policy or any applicable law, BlackBerry reserves the right to pursue all applicable remedies, including those under applicable civil and/or criminal law depending on the jurisdiction.

BlackBerry further reserves the right to update this policy from time to time without notice to ensure that it remains relevant and current with changing technologies, applicable laws, and BlackBerry business practices.

This version of the BlackBerry Coordinated Vulnerability Disclosure Policy supersedes all previous versions, and all aspects of this policy are subject to change without notice, as well as case-by-case exceptions. BlackBerry will make every attempt to coordinate all levels of engagement but cannot guarantee a particular level of response.