Blackboard is committed to resolving security vulnerabilities quickly and
carefully. Such resolutions may lead to the release of a Security Advisory
and/or any needed product update for our customers. In order to protect our
customers and their data, we request that vulnerabilities be responsibly and
confidentially reported to us so that we may investigate and respond.
Vulnerabilities should not be announced until we have developed and
comprehensively tested a product update and made it available to licensed
Blackboard’s products are complex. They run on diverse hardware and software
configurations, and are connected to many third party applications. All
software modifications – big or small -- require thorough analysis, as well as
development and implementation across multiple product lines and versions. The
software must also undergo localization, accessibility, and testing
appropriate to its scope, complexity and severity. Given the critical
importance of our products to our customers, Blackboard must ensure that they
run correctly not only in our testing facilities, but also in customer
environments. Accordingly, Blackboard cannot provide product updates according
to a set timeline -- but we are committed to working expeditiously.
Malicious parties often exploit software vulnerabilities by reverse
engineering published security advisories and product updates. It is important
for customers to update software promptly and use our severity rating system
as a guide to better schedule upgrades. Therefore, public discussion of the
vulnerability is only appropriate after customers have an opportunity to
obtain product updates.
You should conduct all vulnerability testing against non-production instances
of our products to minimize the risk to data and services.
Confidentially share details of the potential vulnerability by sending an email to [email protected]
Provide details of the potential vulnerability so the Blackboard security team may validate and reproduce the issue quickly. Without the above information, it may be difficult if not impossible to address the potential vulnerability. Reports listing numerous potential vulnerabilities without detail will not be addressed without further clarification. Details should include:
Type of vulnerability;
Whether the information has been published or shared with other parties;
Affected products and versions;
Affected configurations; and
Step-by-step instructions or proof-of-concept code to reproduce the issue.
To all vulnerability reporters who follow this Policy, Blackboard will attempt
to do the following:
Acknowledge the receipt of your report;
Investigate in a timely manner, confirming where possible the potential vulnerability;
Provide a plan and timeframe for addressing the vulnerability if appropriate; and
Notify the vulnerability reporter when the vulnerability has been resolved.
With the agreement of the vulnerability reporter, Blackboard may acknowledge
the reporter's contribution during the public disclosure of the vulnerability
so long as the reporter complies with this policy. Blackboard does not
compensate for reporting security vulnerabilities.
Blackboard is committed to improving its security policy and as such, may
update or amend this policy at any time with or without notice to you. If you
have any questions regarding this policy, please email us at [**[email
This program crawled on the 2015-06-30 is sorted as cvd.