BlackBerry Product Security Incident Response Team

Secure Your Organization

The BlackBerry Product Security Incident Response Team (PSIRT) works to make BlackBerry® one of the most secure mobile platforms available. The BlackBerry PSIRT builds collaborative relationships across the industry, monitors the security threat landscape and responds rapidly to emerging incidents to provide customers with the guidance and tools they need to protect their systems and devices.

Report A Security Issue

Advisories & Notices

BlackBerry is committed to improving the security of its products and strives to identify and remove vulnerabilities before the product is released to market. However, software vulnerabilities remain a fact of life and the BlackBerry Product Security Incident Response Team (PSIRT) is prepared to advise you about risks to you and the availability of software fixes.

About Advisories, Bulletins and Notices

BlackBerry may issue a security advisory to inform customers about the resolution of a confirmed vulnerability in a supported BlackBerry product. Unlike a security notice (described below), which aims to inform customers of a vulnerability, a security advisory includes information on the security issue as well as the software update that addresses the vulnerability.

Customers can expect the advisory to include technical details regarding the vulnerability, mitigations, workarounds and authoritative guidance to reduce their risk. BBPSIRT releases security advisories on the second Tuesday of the month, in alignment with current industry practice. However, if there is imminent risk to customers, we will release a security advisory sooner to help ensure customers are protected. 

BlackBerry issues security notices when appropriate to inform customers about high-visibility software vulnerabilities that BlackBerry is investigating and has determined to impact supported BlackBerry products, and is working to address for supported BlackBerry products.

Customers can expect security notices to provide mitigations, workarounds, and authoritative guidance to reduce any potential risk. We do not follow a set schedule for issuing security notices, but rather release these notifications as needed to provide customers with information on how best to secure their products.

BlackBerry issues security bulletins to notify users of its BlackBerry powered by Android smartphones about available security fixes in its monthly Security Maintenance Release update. The bulletin is in response to the monthly Android Security Bulletin and addresses issues in that bulletin that affect BlackBerry powered by Android smartphones.

Customers can expect security bulletins to provide a complete list of security vulnerabilities fixed in the monthly Security Maintenance Release. BBPSIRT regularly releases security bulletins on the first Monday of the month. 

BlackBerry issues privacy notices to inform customers about third-party applications that do not clearly or adequately inform customers of how the app is accessing and possibly using their data. While such apps do not typically appear to have to have malicious objectives or aim to mislead customers, we want to provide customers with information regarding an app’s behavior in order for them to make an informed decision about whether to continue using the app.

Customers can expect privacy notices to include information about the application’s behavior, and how to remove it, if the customer determines that is the best course of action. We release privacy notices as needed on the third Tuesday of the month in order to provide customers with a predictable schedule for receiving information. 

BlackBerry issues malware notices to inform customers about third-party applications that contain code developed with malicious intent.

Customers can expect malware notices to provide them with details about the malware’s behavior, potential mitigations and guidance on how to remove it from their device. Similar to security notices, malware notices are released as needed to inform and protect customers, and there is no set schedule.

BlackBerry remains committed to providing customers a unique level of protection, especially as mobile devices are playing a greater role in their busy lives. By publicly releasing notices and security updates, we are providing customers with the tools and information that they need to help safeguard their BlackBerry products. Additionally, through this type of public disclosure, we are continuing to foster industry collaboration as we work to improve security for the mobile landscape overall. 

Security Updates

Helping to protect customers from security threats is the number one priority of the BlackBerry PSIRT. This team provides security updates for publicly released, non-Beta BlackBerry products. The team also scores security issues using the Common Vulnerability Scoring System (CVSS), and those identified as severe are given the highest level of priority.

Before the release of a security update, BlackBerry build and test processes must first determine that the update is of the quality customers expect. The BlackBerry PSIRT publishes security advisories and notices to inform you that updates or guidance are available, and provides the details you need to complete a tailored risk assessment.

Collaborations

An essential part of the daily work of the BlackBerry Product Security Incident Response Team (PSIRT) includes collaborating with customers, partners, vendors, governments, academics and the security research community. Ongoing engagement helps BlackBerry deliver a unique level of security that customers depend upon.

Acknowledgements

The BlackBerry PSIRT thanks the following people and organizations for reporting security issues under the industry practice of coordinated disclosure and working with the team to protect BlackBerry customers.

* - Identifies "Super Finder Status", signifying the finder has reported three or more security issues to the BlackBerry PSIRT in the calendar year. 

 

 

 

 

 

For presenting at the BlackBerry Security Summit, June 2013:


For identifying and reporting a security issue to BlackBerry:

For presenting at the BlackBerry Security Summit, June 2012:

For identifying and reporting a security issue to BlackBerry:

  • Andy Davis of NCC Group
  • Tim Brown, Nth Dimension

For identifying and reporting a security issue to BlackBerry:

For identifying and reporting a security issue to BlackBerry:

  • Isaac Dawson
  • Jean-Luc Giraud of the Citrix security team
  • Sheran Gunasekera of ZenConsult
  • OYXin of Nevis Labs, Aviram Networks, Inc.
  • Mobile Security Lab
  • CESG
  • Ken Millar of Sensient Technologies Corporation
  • Michael Thumann of ERNW
  • Martin O'Neal and Stephen de Vries of Corsaire
  • eEye Digital Security, working with US-Computer Emergency Readiness Team Coordination Center (CERT/CC)
  • Sonic Solutions
  • US-Computer Emergency Readiness Team Coordination Center (CERT/CC)
  • FX of Phenoelit
  • Imad Lahoud of the EADS Corporate Research Center IT Security Lab in France