Secure Product Development Policy
BMC Software Inc. and its affiliates (BMC) strive to develop and deliver robust, reliable and secure products meeting the highest industry standards. Product security is integral to BMC’s product development lifecycles. As part of that process, BMC incorporates threat modeling, attack surface analysis, security architecture analysis and continuous security training for its product teams. BMC performs internal and third-party penetration testing on its products with an emphasis on OWASP top 10 security risks, and leverages extensive static and dynamic code scanning to ensure BMC products are secure from known vulnerabilities.
BMC Open-Source and Third-party Software Security Policy
BMC ensures a security vulnerability review is performed by qualified personnel using an industry-leading vulnerability-scanning engine and executed against products using third-party or open-source components. Additionally, third-party software is also manually reviewed to ensure that the third-party vendor complies with BMC policies.
As part of the product development lifecycle, BMC performs continuous scanning, allowing BMC to react to new threats as they are publicly disclosed and take corrective actions before product release. While BMC aims to keep the open-source components up to date, priority is given to those components with vulnerabilities that may affect a BMC product. Components that have known vulnerabilities, but do not affect any BMC product are also upgraded in future releases.
BMC Vulnerability Response Policy
Security vulnerability sources
BMC receives private reports on vulnerabilities from its customers, field personnel and partners, and via researchers from the security community.
BMC monitors public repositories of third-party software as well as other threat intelligence channels to identify newly discovered vulnerabilities that may affect BMC products.
Reporting a potential vulnerability
BMC believes that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Therefore, BMC adheres to a 90-day disclosure timeline, though we reserve the right to adjust this timeline based on circumstances.
Responsible disclosures should include product name and version, installation environment, description of the vulnerability, and exploit/proof of concept of the suspected vulnerability.
BMC customers should report vulnerabilities by following the standard support process.
Vulnerability acknowledgement and initial analysis
Upon receipt of a report of a vulnerability, BMC will triage the report, determine which BMC product is affected, attempt to replicate the reported vulnerability and compute the severity of the vulnerability.
BMC will continually provide feedback to the reporter of the vulnerability and work with them to mitigate the vulnerability.
Vulnerability severity – CVSS scoring
BMC uses version 3.0 of the Common Vulnerability Scoring System as part of its standard process of evaluating reported potential vulnerabilities in BMC products.
If not provided, BMC will compute the environmental score assuming the tested BMC product is configured as defined in the online product documentation and placed behind appropriate in-depth protections.
Depending on the CVSS score of the vulnerability, BMC will determine the urgency of remediating the vulnerability:
9.0 - 10 (Critical)
BMC will begin corrective action immediately, develop a fix or workaround, and provide it to customers in the shortest commercially reasonable time
7.0 - 8.9 (High)
BMC will deliver a fix or workaround with the next planned maintenance or as an update release or in the form of a hot fix to the BMC product
4.0 - 6.9 (Medium)
BMC will deliver a fix or workaround with the next planned release of the BMC product
0.1 – 3.9 (Low)
BMC will deliver a fix or workaround with the next two planned releases of the BMC product
BMC will release a fix or workaround for all BMC products that are affected by the vulnerability. Depending on the vulnerability severity, customers’ requirements, and BMC options, the fix or workaround may take one or more of these forms:
- A corrective procedure or workaround that instructs users to adjust the BMC product’s configuration or environment configuration to mitigate the vulnerability;
- A patch that can be installed on top of the affected BMC product;
- Instructions to download and install an update or patch for a third-party software component that is part of the BMC product installation;
- A new maintenance or update release of the affected BMC product; or
- A new major or minor release of the affected BMC product
Notification to BMC customers
Depending on any specific vulnerability, and the mitigation involved, BMC will notify customers through one or more of the following methods:
- Proactive notifications (https://www.bmc.com/support/resources/customer-notice-types.html)
- Public advisories on the Application Security News feed (https://communities.bmc.com/blogs/application-security-news)
- Release notes, product documentation, and knowledge article