Application security is our first priority
BMC Software is engaged in an ongoing process to continually improve the security of the applications it develops. The application security team at BMC is involved in all stages of the software development lifecycle to ensure that security is addressed, from requirements gathering, to design and architecture, through coding and testing, and finally ongoing maintenance once the software is released.
We welcome active engagement with our customers and the security research community to improve overall product security and to reduce the risk that any customer’s environment could be compromised.
How to contact us
The BMC application security team can be reached via e-mail at: firstname.lastname@example.org
If the content of your communication is sensitive, please encrypt your email using our PGP key.
The PGP fingerprint is: A9F13638234C6D92E54FC84646E9CF6F5808EF16
If you do not trust the integrity of this website please email us at email@example.com with a phone number where you can be reached and we will provide the fingerprint verbally.
If you have discovered a security issue related to BMC Software’s website or hosted services, please contact our IT security team at firstname.lastname@example.org
Vulnerability DisclosureThe application security team is the conduit for communication between the security research community and the development teams for all product lines at BMC Software. We follow the process below:
- Security vulnerabilities must be submitted via the email@example.com email.
To expedite handling of the vulnerability please include:
- Contact details (name, email, phone number)
- BMC product name (e.g. BladeLogic Database Automation)
- BMC product version (preferably the full version and patch level, e.g. v.9.8.01 SP1)
- Detailed description of the vulnerability with steps to reproduce its discovery
- Detailed steps to exploit the vulnerability (if available)
- The application security team contacts both the submitter and the appropriate development team and schedules a conference call with all involved parties. Following the call the application security team reviews the submitted vulnerability, assesses its impact, and produces an internal severity rating.
- The development team attempts to reproduce the issue submitted. They then assess the effort and resources required to fix the vulnerability or to provide a workaround. Finally, they decide when the fix will be released based on the severity rating of the vulnerability, the resources required, and the release lifecycle of the product.
- The application security team files for a CVE number.
- The application security team maintains open communication with the submitter until a fix or workaround is available.
- The development team sends a technical bulletin to all customers of the affected product notifying them of the vulnerability and the availability of a fix or a workaround. Credit will be given to the submitter upon request.
- The application security team publishes a CVE bulletin. Credit will be given to the submitter upon request.