Blackboard is committed to resolving security vulnerabilities quickly and carefully. Such resolutions may lead to the release of a Security Advisory and/or any needed product update for our customers. In order to protect our customers and their data, we request that vulnerabilities be responsibly and confidentially reported to us so that we may investigate and respond. Vulnerabilities should not be announced until we have developed and comprehensively tested a product update and made it available to licensed customers.
Blackboard’s products are complex. They run on diverse hardware and software configurations, and are connected to many third party applications. All software modifications – big or small -- require thorough analysis, as well as development and implementation across multiple product lines and versions. The software must also undergo localization, accessibility, and testing appropriate to its scope, complexity and severity. Given the critical importance of our products to our customers, Blackboard must ensure that they run correctly not only in our testing facilities, but also in customer environments. Accordingly, Blackboard cannot provide product updates according to a set timeline -- but we are committed to working expeditiously.
Malicious parties often exploit software vulnerabilities by reverse engineering published security advisories and product updates. It is important for customers to update software promptly and use our severity rating system as a guide to better schedule upgrades. Therefore, public discussion of the vulnerability is only appropriate after customers have an opportunity to obtain product updates.
You should conduct all vulnerability testing against non-production instances of our products to minimize the risk to data and services.
To all vulnerability reporters who follow this Policy, Blackboard will attempt to do the following:
With the agreement of the vulnerability reporter, Blackboard may acknowledge the reporter's contribution during the public disclosure of the vulnerability so long as the reporter complies with this policy. Blackboard does not compensate for reporting security vulnerabilities.
Blackboard is committed to improving its security policy and as such, may update or amend this policy at any time with or without notice to you. If you have any questions regarding this policy, please email us at [email protected].