Report an Issue

The BlackBerry Security Response Center responds to reports of security vulnerabilities in BlackBerry products.

If you suspect you have discovered a security vulnerability in a supported BlackBerry product, please let us know by filling out the form below. Before you report a security vulnerability, please review the following checklist:

  • Is my problem a security vulnerability or a technical support inquiry?

    A security vulnerability can be generally defined as a flaw in software code that would allow a malicious user to gain access to information or capabilities that they should not have access to. Many problems that appear to be security-related are not actually caused by a vulnerability in a supported BlackBerry product.

    You can find answers to common problems below. If you find the answer here, you don’t need to submit a security issue.

    If you suspect your problem is a technical support issue but it is not in the list above, please Contact Us for Technical Support Inquiries.

  • Is the security vulnerability in a supported BlackBerry product or website?

    To determine whether a product is in support, please see the BlackBerry Software Support Lifecycle.

  • Have I reviewed the BlackBerry Coordinated Vulnerability Disclosure Policy?

    Product Vulnerability Disclosure Reporting

    BlackBerry is committed to the continuous improvement of the security of its products and strives to proactively identify and remove potential vulnerabilities before the product is released to market. However, in today’s world, software vulnerabilities remain an ongoing fact of life. BlackBerry is committed to close collaboration with the security researcher community to discover and remediate vulnerabilities.

    BlackBerry recognizes and values the important contributions that the security researcher community currently makes and can make in the future. To partner effectively with the research community, we are introducing our initial Coordinated Vulnerability Disclosure Policy designed to promote collaboration and external party vulnerability reporting.

    Scope

    The scope of our vulnerability reporting process includes BlackBerry QNX products and certain supported Enterprise Software, Messaging Software, and Smartphone products, as well as our website. To determine whether a BlackBerry product is supported, please see the BlackBerry Software Support Lifecycle.

    What We Expect of You

    We are willing to work in good faith with security researchers who test and submit vulnerabilities according to these guidelines:

    • Conduct your research in a way that:

      • protects the property and privacy of our customers and partners;
      • complies with all applicable laws and regulations in the course of your testing activities.

    • Perform research only within the scope defined in this document.
    • Give us an opportunity to correct a vulnerability before publicly disclosing it.
    • Provide full details of the security issue at the time of disclosure.

    How to Submit a Vulnerability

    If you suspect you have discovered a security issue (vulnerability) in a BlackBerry product or website, please let us know by filling out the form below.

    Researchers who wish to submit a vulnerability using PGP should use our PGP Public Key to encrypt the email and send it to secure@blackberry.com. Email us to acquire our PGP key.

    When submitting a vulnerability, please provide full details. This includes:

    • the name, version and configuration details of the affected product
    • a description of the vulnerability and the environment with which it was discovered
    • detailed steps to reproduce the vulnerability
    • screenshots or video to demonstrate POC

    What You Can Expect BBSIRT to Do

    Within 3 working North American business days, acknowledge your report, open a case within our case management system, and assign a case manager to track the investigation.

    Escalate the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.

    Communicate with you, through the case manager, to confirm the existence of the vulnerability and, if applicable, the associated plan for remediation. Upon remediation of the vulnerability, communicate the remediation to you. Publicly acknowledge you on our website.

    BBSIRT Vulnerability Publication and Coordinated Disclosure

    BlackBerry issues security advisories for supported BlackBerry products. Security advisories are published on our website. For advisory-class issues, BBSIRT will coordinate disclosure of the vulnerability.

    All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. BlackBerry will make every attempt to coordinate all levels of engagement but cannot guarantee a particular level of response.

    Legal

    At all times while performing security research activities in relation to BlackBerry products and services, including when submitting a BlackBerry Security Vulnerability Report, you must comply with the BlackBerry Coordinated Vulnerability Disclosure Policy and all applicable laws. If you fail to comply with this policy or any applicable law, you may be subject to civil and/or criminal liability.

    This policy may be updated to ensure it remains relevant and current with changing technologies, applicable laws and BlackBerry business practices.

  • Do I have full details of the vulnerability, including detailed steps to reproduce and screenshots or video to demonstrate POC?

    BlackBerry takes all vulnerability reports seriously and investigates each one individually. However, to fully investigate your report, we need complete details and POC for the vulnerability:

    • the name, version and configuration details of the affected product/website
    • a complete and clear description of the vulnerability and the environment with which it was discovered
    • detailed steps to reproduce the vulnerability
    • screenshots or video to demonstrate POC

HTML - Break



I have read the checklist above and have a security vulnerability to report to BlackBerry.

Start of Form

Thank you for reporting this issue.

Security researchers who wish to submit their vulnerability through a secure channel should contact BBSIRT via secure@blackberry.com using our our PGP public key. Researchers can also email us for access to a BlackBerry Workspaces location.

Security researchers who wish to submit a vulnerability in a QNX product or service should click here for further information.

*Indicates a required field

Add POC File


Please select the reCAPTCHA above.

End of Form

Form input Enable JS

Accordion item opening JS

Remove db fields