Report an Issue
The BlackBerry Product Security Incident Response Team (PSIRT) responds to and investigates reports of security vulnerabilities in BlackBerry products.
If you suspect you have discovered a security vulnerability in a supported BlackBerry product, please let us know by filling out the form below.
Before you report a security vulnerability, please review the following items.
A security vulnerability can be generally defined as a flaw in software code that would allow a malicious user to gain access to information or capabilities that they should not have access to. Many problems that appear to be security-related are not actually caused by a vulnerability in a supported BlackBerry product.
You can find answers to common scenarios through the following self-service options. If you find the answer here, you don’t need to submit a security issue.
Depending on which BlackBerry product you are experiencing issues with and its support status, additional self-service or full-service support options may be available. Please access the BlackBerry contact catalog and select the Technical Support Inquiry Type, and then the most appropriate option from the Product/Inquiry Group (e.g., Enterprise, Smartphones, IoT, etc.). Complete the form to determine the available self- and full-service options.
BlackBerry Coordinated Vulnerability Disclosure Policy
BlackBerry is committed to the continuous improvement of the security of its products and strives to proactively identify and remove potential vulnerabilities before products are released to market and we work collaboratively with customers who discover and report vulnerabilities to BlackBerry in order to remediate those vulnerabilities.
BlackBerry recognizes and values the important security researcher community contributions. To partner effectively with the research community, we documented this BlackBerry Coordinated Vulnerability Disclosure Policy to promote collaboration and external party vulnerability reporting.
The vulnerability reporting process includes products currently supported by BlackBerry and its subsidiaries, as well as our website.
To determine whether a BlackBerry product is supported, please see the BlackBerry Software Support Lifecycle.
What We Expect of You
We are willing to work in good faith with security researchers who test and submit vulnerabilities according to the following guidelines.
BlackBerry fully supports security testing that:
- Is conducted in a manner that protects the security and privacy of all of our customers and partners
- Complies with integrity concerning all applicable laws and regulations around security testing activities
- Respects and adheres to its existing agreements with BlackBerry and contractual provisions that address BlackBerry’s intellectual property rights
- Perform research only within the scope defined in this policy
- Provide BlackBerry with full details of the security issue at the time of disclosure
- Give BlackBerry the opportunity to correct a vulnerability before publicly disclosing it
How to Submit a Vulnerability
If you suspect you have discovered a security vulnerability in a BlackBerry product or website, please let us know by filling out the form below.
When submitting a vulnerability, please provide full details.
- the name, version and configuration details of the affected product
- names of all researchers that were involved with the discovery of the vulnerability
- a description of the vulnerability and the environment with which it was discovered
- detailed steps to reproduce the vulnerability
- screenshots or video to demonstrate Proof of Concept (POC)
What You Can Expect BBPSIRT to Do
Within 3 North American business days, the BlackBerry Product Security Incident Response Team (BBPSIRT) will:
- Acknowledge your report, open a case within our case management system, and assign a case manager to track the investigation
- Fully investigate the first instance of a report of a unique vulnerability
- Validate the reported vulnerability. You may be contacted to provide additional information at this stage
- Communicate with you, through the Case Manager, to confirm the existence of the vulnerability and, if applicable, the associated plan for remediation
- Upon remediation of the vulnerability, communicate the details to you
- Publicly acknowledge you on our website. BBSIRT will credit the researcher(s) listed in the initial report or that BBSIRT directly works with to resolve the vulnerability
BBPSIRT Coordinated Disclosure and Vulnerability Publication
The BBPSIRT issues security advisories for supported BlackBerry products. The BBPSIRT will work with you to determine the best avenue for coordinated disclosure of the vulnerability, which may include issuing a security advisory for supported BlackBerry products. Security advisories are published on our website.
All aspects of this policy are subject to change without notice, as well as for case-by-case exceptions. BlackBerry will make every attempt to coordinate all levels of engagement but cannot guarantee a particular level of response.
BlackBerry takes seriously its obligations to ensure that its products are secure and recognizes and welcomes the tremendous value that the security research community brings to these efforts and will always seek to act in good faith with anyone who reports vulnerabilities pursuant to BlackBerry established guidelines and the BlackBerry Coordinated Vulnerability Disclosure Policy.
At all times while performing security research activities in relation to BlackBerry products and services, including when submitting a BlackBerry Security Vulnerability Report, you must comply with the BlackBerry Coordinated Vulnerability Disclosure Policy and all applicable laws. If required and/or upon investigation by BlackBerry, we have determined that you have failed to comply with this policy or any applicable law, BlackBerry reserves the right to pursue all applicable remedies including those under applicable civil and/or criminal law depending on the jurisdiction.
BlackBerry further reserves the right to update this policy from time to time without notice to ensure that it remains relevant and current with changing technologies, applicable laws and BlackBerry business practices.
BlackBerry takes all vulnerability reports seriously and investigates each one individually. However, to fully investigate your report, we need complete details and a Proof of Concept (PoC) for the vulnerability:
- the name, version and configuration details of the affected BlackBerry product or BlackBerry-owned website
- a complete and clear description of the vulnerability and the environment with which it was discovered
- detailed steps to reproduce the vulnerability
- screenshots or video to demonstrate POC
If you have read the checklist above and have a security vulnerability to report to BlackBerry, please contact BBPSIRT via firstname.lastname@example.org. Researchers can choose to report their vulnerability through a secure channel using our PGP public key when emailing or can request access to a BlackBerry Workspaces location.
Security researchers who wish to submit a vulnerability in a BlackBerry QNX product or service can also report an issue here – learn more.
Please ensure that your report contains the following information:
- The BlackBerry product or service that you are reporting a vulnerability against, including version information for products
- A description of the vulnerability, including steps to reproduce
- A screenshot or video POC of the vulnerability