icon_CloudMgmt icon_DollarSign icon_Globe icon_ITAuto icon_ITOps icon_ITSMgmt icon_Mainframe icon_MyIT icon_Ribbon icon_Star icon_User icon_Users icon_VideoPlay icon_Workload icon_caution icon_close s-chevronLeft s-chevronRight s-chevronThinRight s-chevronThinRight s-chevronThinLeft s-chevronThinLeft s-trophy s-chevronDown

BMC continuously improves the security, quality, and performance of the software we develop. Product security is an integral part of our product development lifecycles.

Products built with security in mind

We have established a quality management system for BMC products based on a shared set of goals and practices embedded in a repeatable process.

Product security experts are involved in all stages of the software development lifecycle, from requirements gathering, to design and architecture, through coding and testing. Software must meet security standards before it is released and must continue to meet those standards as it is maintained.

The process includes formal approvals at various points to ensure visibility and governance over quality, security, and performance goals and investments.

How we work

Addressing security throughout product development with agile DevOps


Security tools and processes are more effective and less costly when integrated throughout the development process as opposed to being considered only at the end. We incorporate threat modeling, attack surface analysis, security architecture analysis, and other techniques at early phases of application conception.

Our developers use a “shift-left” approach to security by incorporating tools early on, including security assessments, security testing, and penetration testing. This approach follows industry best practices, including least privilege, failing securely, defense in depth, and separation of privilege.

Meeting security requirements for product release quality certification


Prior to release, each BMC product goes through one or more of the following processes to identify and correct any high-severity vulnerabilities as defined by CVSS 3.0. Medium- and low-severity vulnerabilities are logged as defects and addressed in subsequent releases.

Dynamic Application Security Testing

  • Automated testing using industry-leading tools
  • Production safety assessments, running continuously, inform BMC of the risk of production web applications, regardless of how frequently changes are made

Manual Application Penetration Testing

  • Performed annually, independently of the quality review for every major release
  • Comprises system-level tests, web application tests, client/server tests, API tests, network scanning and Level 7-equivalent penetration testing

Open Source Vulnerability Scanning

For each open-source software component and library, an automated scan against the National Vulnerability Database is performed to identify any known vulnerabilities in the specific version used in a BMC product.

When a vulnerability is identified, either by our efforts or by public disclosure, the product security team orchestrates the effort to assess how the vulnerability might affect BMC products. We communicate the availability of fixes or workarounds via the Application Security News and Advisories site.

Supporting a culture of secure coding


The product security team consults with development teams on security design reviews, architectural advice, security implementation advice, and guidance on the use of security scanning tools and on the interpretation of their results.

Because flaws in business logic cannot be easily discovered by automated tools and penetration testing, we conduct security design reviews and threat modeling workshops to identify potential issues during the architecture and design phases of product development.

Corporate-wide training for all developers, QA engineers, product managers, and architects includes mandatory training on the OWASP Top 10 Vulnerabilities. More than 550 developers at BMC have undergone training on the first three domains of the ISC Certified Secure Software Lifecycle Professional (CSSLP) secure coding program, and some have achieved ISC’s Secure Software Practitioner (SSP) certification.

We welcome input from our customers and the security research community

To improve overall product security and reduce the risk to any customer's environment, our team follows a formal escalation process for vulnerability disclosures regardless of their source (researcher, customer, internal QA team, or others). Based on the severity of the vulnerability, it is routed through senior management, remediated by the relevant product development team, and communicated to affected customers.

  1. Submit vulnerability. If you are a BMC customer, follow your established support process to report security vulnerabilities as you would any other concern. Following the customer support process will help us prioritize your report and understand its context.

    If you are an external researcher or anyone else with no access to BMC support and discover a security issue related to a BMC website or hosted service, please contact our IT security team at security-alert@bmc.com.

    If you are an external researcher or anyone else with no access to BMC support and discover a security issue related to a BMC product, please contact our Product Security Group at appsec@bmc.com. If the content of your communication is sensitive, please encrypt your email using our PGP key. The PGP fingerprint is: A921B4428D8C9988A29BA5BBE398A5B819611C7E

    If you do not trust the integrity of this website please email us at appsec@bmc.com with a phone number where you can be reached and we will provide the fingerprint verbally.

    To expedite handling of the vulnerability please include:

    • Contact details (name, email, phone number)
    • BMC product name (e.g. BladeLogic Database Automation)
    • BMC product version (preferably the full version and patch level, e.g. v.9.8.01 SP1)
    • Detailed description of the vulnerability with steps to reproduce its discovery
    • Detailed steps to exploit the vulnerability (if available)
  2. Assess impact. The application security team reviews the submitted data with the appropriate development team to assess the vulnerability’s impact and produce an internal severity rating.
  3. Determine what fix is required. The development team attempts to reproduce the issue submitted and assesses the effort and resources required to fix the vulnerability or to provide a workaround. They determine when the fix will be released based on the severity rating, the resources required, and the release lifecycle of the product.
  4. Maintain communication. The application security team maintains open communication with the submitter until a fix or workaround is available.
  5. Document and communicate fix. The development team sends a technical bulletin to all customers of the affected product, notifying them of the vulnerability and the availability of a fix or a workaround.
  6. Give credit where credit is due. Credit will be given to the submitter upon request.

If you discover a security issue related to a BMC website or hosted service, please contact our IT security team at security-alert@bmc.com

Our incident management procedure enables swift response to any potential incident. This procedure covers emergency incidents, escalation, and public vulnerability disclosure. BMC’s practices include a procedure for documenting the incident in detail and producing a report for future reference or management’s attention.


Our security practices are always evolving. We adapt our tools and techniques to encompass new technologies and protect against new kinds of threats. If you have specific questions about a particular product, please contact your account or sales team. For security-related inquiries, please email appsec@bmc.com.