Let us know how we can help

Sales & Pricing

Speak to a rep about your business needs

Contact Sales

Help & Support

See our product support options

Contact Support

General inquiries and locations

Contact us

Popular destinations

Vulnerability Disclosure

BMC welcomes input on potential vulnerabilities from all sources

Our team follows a formal escalation process for vulnerability disclosure regardless of their source—customers, researchers, internal QA teams, or others.

Based on the severity, the vulnerability is routed through senior management, remediated by the relevant development team, and communicated to affected customers.

Choose your role to submit a vulnerability

Follow these instructions if you are a BMC customer

BMC customers should follow your established support process to report security vulnerabilities, as you would any other concern. Following the customer support process will help us prioritize your report and understand its context.

To expedite handling of the vulnerability please include:

  • Your name, email, and phone number

  • BMC product name

  • BMC product version (preferably the full version and patch level)

  • Detailed description of the vulnerability with steps to reproduce its discovery

  • Detailed steps to exploit the vulnerability (if available)

  • Applicable CVEs, hostnames, and IP addresses (for vulnerabilities related to infrastructure)

Visit BMC Support right-arrow
External researcher or other role

Follow these instructions if you are an external researcher or other role

Description – To report a security issue related to a BMC website or hosted service, please contact our IT security team at [email protected]. To report a security issue related to a BMC product, please contact our Product Security Group at [email protected].

To expedite handling of the vulnerability please include:

  • Your name, email, and phone number
  • BMC product name
  • BMC product version (preferably the full version and patch level)
  • Detailed description of the vulnerability with steps to reproduce its discovery
  • Detailed steps to exploit the vulnerability (if available)
  • Applicable CVEs, hostnames, and IP addresses (for vulnerabilities related to infrastructure)

If the content of your communication is sensitive, please download our PGP key to encrypt your email. The PGP fingerprint is: A921B4428D8C9988A29BA5BBE398A5B819611C7E

If you do not trust the integrity of this website, please email us at [email protected] with a phone number where we can reach you to provide the fingerprint verbally.

Once you submit, BMC takes over through resolution

Our incident management procedure enables swift response to any potential incident. This procedure covers emergency incidents, escalation, and public vulnerability disclosure. BMC’s practices include procedures for documenting the incident in detail and producing a report for future reference or management attention.

  • Assess impact. The application security team reviews the submitted data with the appropriate development team to assess the vulnerability’s impact and produce an internal severity rating.

  • Determine what fix is required. The development team attempts to reproduce the issue submitted then assesses the effort and resources required to fix the vulnerability or provide a workaround. They determine when the fix will be released based on the severity rating, the resources required, and the release lifecycle of the product.

  • Maintain communication. The application security team maintains open communication with the submitter until a fix or workaround is available.

  • Document and communicate fix. The development team sends a technical bulletin to all customers of the affected product, notifying them of the vulnerability and the availability of a fix or workaround.

  • Give credit where credit is due. Credit will be given to the submitter upon request.