icon_CloudMgmt icon_DollarSign icon_Globe icon_ITAuto icon_ITOps icon_ITSMgmt icon_Mainframe icon_MyIT icon_Ribbon icon_Star icon_User icon_Users icon_VideoPlay icon_Workload icon_caution icon_close s-chevronLeft s-chevronRight s-chevronThinRight s-chevronThinRight s-chevronThinLeft s-chevronThinLeft s-trophy s-chevronDown

Vulnerability Disclosure

BMC welcomes input on potential vulnerabilities from all sources

Our team follows a formal escalation process for vulnerability disclosure regardless of their source—customers, researchers, internal QA teams, or others.

Based on the severity, the vulnerability is routed through senior management, remediated by the relevant development team, and communicated to affected customers.

Process for Vulnerability Disclosure

Choose your role to submit a vulnerability

Follow these instructions if you are a BMC customer

BMC Customer

BMC customers should follow your established support process to report security vulnerabilities, as you would any other concern. Following the customer support process will help us prioritize your report and understand its context.

To expedite handling of the vulnerability please include:

  • Your name, email, and phone number
  • BMC product name (e.g., TrueSight Server Automation)
  • BMC product version (preferably the full version and patch level, e.g., v.9.8.01 SP1)
  • Detailed description of the vulnerability with steps to reproduce its discovery
  • Detailed steps to exploit the vulnerability (if available)
  • Applicable CVEs, hostnames, and IP addresses (for vulnerabilities related to infrastructure)

Follow these instructions if you are an external researcher or other role

External Researcher

To report a security issue related to a BMC website or hosted service, please contact our IT security team at security-alert@bmc.com. To report a security issue related to a BMC product, please contact our Product Security Group at appsec@bmc.com.

To expedite handling of the vulnerability please include:

  • Your name, email, and phone number
  • BMC product name (e.g., TrueSight Server Automation)
  • BMC product version (preferably the full version and patch level, e.g., v.9.8.01 SP1)
  • Detailed description of the vulnerability with steps to reproduce its discovery
  • Detailed steps to exploit the vulnerability (if available)
  • Applicable CVEs, hostnames, and IP addresses (for vulnerabilities related to infrastructure)

If the content of your communication is sensitive, please download our PGP key to encrypt your email. The PGP fingerprint is: A921B4428D8C9988A29BA5BBE398A5B819611C7E

If you do not trust the integrity of this website, please email us at appsec@bmc.com with a phone number where we can reach you to provide the fingerprint verbally.

Once you submit, BMC takes over through resolution

Our incident management procedure enables swift response to any potential incident. This procedure covers emergency incidents, escalation, and public vulnerability disclosure. BMC’s practices include procedures for documenting the incident in detail and producing a report for future reference or management attention.

Assess impact. The application security team reviews the submitted data with the appropriate development team to assess the vulnerability’s impact and produce an internal severity rating.

Determine what fix is required. The development team attempts to reproduce the issue submitted then assesses the effort and resources required to fix the vulnerability or provide a workaround. They determine when the fix will be released based on the severity rating, the resources required, and the release lifecycle of the product.

Maintain communication. The application security team maintains open communication with the submitter until a fix or workaround is available.

Document and communicate fix. The development team sends a technical bulletin to all customers of the affected product, notifying them of the vulnerability and the availability of a fix or workaround.

Give credit where credit is due. Credit will be given to the submitter upon request. 

Incident Management