Sorry, not available in this language yet

English
日本語
简体中文

AI-generated code | Harness the power of AI coding assistants while managing the risks.
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Program Consolidation | Simplify your application security program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage Enterprise AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud.
Open Source License Compliance | Effective solutions for ensuring open source license compliance.
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality and Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators.

Static Analysis (SAST) | Analyzing code for security vulnerabilities without executing it.
Software Composition Analysis (SCA) | Analyzing software components for security and license compliance.
Dynamic Analysis (DAST) | Testing running applications for security vulnerabilities.
Interactive Analysis (IAST) | Real-time security testing during application execution.
Penetration Testing | Simulated cyberattacks to identify vulnerabilities.
Mobile Application Security Testing (MAST) | Ensuring the security of mobile applications.
Application Security Posture Management (ASPM) | Managing and improving application security posture.
Fuzz Testing Solutions | Identifying vulnerabilities by inputting random data to applications.

Automotive | Security solutions for automotive industry applications.
Financial Services | Security solutions tailored for financial services.
IoT & Embedded | Security for Internet of Things and embedded systems.
Medical Devices | Security solutions for medical devices.
Public Sector | Security solutions for government and public sector organizations.

Dev and DevOps Teams | Security tools and practices for development and DevOps teams.
Security Teams | Solutions and support for dedicated security teams.
Legal Teams | Resources and compliance tools for legal teams.

Vulnerability Disclosure Policy

Cybersecurity is most successful when it is built into the development and delivery of products, applications, and platforms. We also recognize that there is no silver bullet solution to security and welcome contributions from external security researchers, industry organizations, vendors, and other sources concerned with cybersecurity.

Responsible Disclosure Guidelines

To promote the discovery and reporting of vulnerabilities in our products, and to ensure safety for users of our products, reporters must adhere to the following guidelines for submission of any potential vulnerabilities:

Share security issues with Black Duck confidentially, with sufficient information to evaluate the submission (recommended details below)
Do not make any information public without Black Duck’s guidance and consent
Do not access or modify any user data in any application (regardless of whether that data belongs to Black Duck or an end user of the application). Only interact with your own accounts or test accounts for security research purposes
Contact Black Duck within 24 hours if you encounter any end user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Black Duck
Always act in good faith so as to avoid violations to applicable laws, the destruction of data, or the interruption or degradation of our services (including denial of service)
Comply with all applicable laws

We will not negotiate in response to duress or threats. We will not negotiate under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public.

Reporting a Potential Security Vulnerability

If you observe a potential security vulnerability in one of our products, you are strongly encouraged to contact Black Duck to report it and include the following details when reporting a potential security vulnerability:

Affected Product/Platform and Version
Technical description of the issue
Detailed steps to reproduce and/or sample code used to exploit the vulnerability
Contact information and optional name for acknowledgments
Proposed disclosure plans

Excluded Submission Types

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
Findings generated by automated tools without detailed explanation on what parts are vulnerable and how the vulnerability might be exploited

Black Duck prefers all reports of potential security vulnerabilities for Black Duck products or software are encrypted using the PGP/GNU Privacy Guard (GPG) public key found below. Please report any potential security vulnerabilities in Black Duck products or software to the following email address: [email protected].

PGP Key File: public_key.asc

PGP Key Fingerprint: 5546 3696 B9CC BA5C C56E 3195 C25E 521C C2B2 BA49

Please note that the PSIRT contact addresses should only be used for reporting undisclosed security vulnerabilities in our products, applications, and platforms, and for managing the process of fixing such vulnerabilities. If you’d like to make a general support request, please use the official support channel. All mail sent to this address that does not relate to an undisclosed security vulnerability will be destroyed.

Consequences of Complying with Policy

We consider that activities consistent with this policy are “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have complied with Black Duck’s Vulnerability Disclosure policy, Black Duck will make it known that your actions were conducted in compliance with this policy.

Black Duck Vulnerability Disclosure Process Overview

The Black Duck Vulnerability Disclosure Process is executed by the Product Security Incident Response Team (PSIRT). The Black Duck process is based on well-known industry standards, such as NIST-SP-800-61, ISO 29147, and ISO 30111.

The Black Duck PSIRT coordinates the response and, if necessary, disclosure of security incidents related to Black Duck products and associated software. Black Duck PSIRT's primary objective is to minimize the risks associated with security incidents in a timely, secure, and responsible manner.

Black Duck will investigate all reports for Black Duck products/platforms that are currently supported; accepted reports will be prioritized based on severity and other environmental factors. 

Throughout this process, Black Duck will strive to work collaboratively with the reporting party to validate and collect additional information as necessary. Upon determining the validity of a reported vulnerability, Black Duck will share results with the reporting party, to the extent it may do so without risk to end users. These results, depending on the security issue, include whether the report has been accepted or rejected, severity, timelines, resolution, and public disclosure plans. If the reporting party does not agree with the shared results, Black Duck will make good faith efforts to address the concerns.

During this process, Black Duck will manage all information regarding a reported vulnerability on a confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Black Duck, similarly, requires the reporting party to maintain strict confidentiality until the reported vulnerability has been comprehensively remediated.

Although this policy addresses disclosure of vulnerabilities in our products, in the event that a reported vulnerability involves a vendor product, Black Duck will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.

Additionally, if Black Duck becomes aware of a vulnerability that does not affect our products/platforms, Black Duck will follow our policy for reporting vulnerabilities to vendors.

Assessing Vulnerability Severity

Black Duck encourages individuals who report vulnerabilities to evaluate and assign an initial severity using an industry-recognized standard, such as CVSS, NIST 800-30 rev1, SSVC, etc. While in the “Analysis” phase, Black Duck will take into consideration the reported severity while formulating an official severity. The official severity will be created using CVSS (or another industry-recognized standard) and, whenever possible, used with other environmental factors to prioritize remediation/disclosure timelines. 

Given the complexity of security issues in the hardware context this can lead to longer embargo periods than the software industry standard of 90 days. This time can be necessary for Black Duck’ customers to devise and implement mitigation strategies. In the event that Black Duck believes it will take longer than 90 days to release a fix, Black Duck will inform the reporting party of this and the extenuating circumstances which necessitate an extended embargo period.

Acknowledgement and Publication

Black Duck values the efforts of external security researchers, industry organizations, vendors, customers, and other sources who identify security vulnerabilities and responsibly disclose them to Black Duck so that fixes can be issued to all customers. While Black Duck will not pay bounties or other monetary compensation for reporting vulnerabilities in our products, Black Duck’ policy is to acknowledge all researchers in the product/platform release notes and/or public disclosures, provided the following conditions are met:

The reporting party agrees to their name, handle, or other contact details being shared publicly
The reporting party does not publish the vulnerability prior to Black Duck confirming a comprehensive fix has been released
The reporting party does not divulge exact details of the issue, for example, exploits or proof-of-concept code

Note: Black Duck does not publicly acknowledge Black Duck employees or contractors of Black Duck and its subsidiaries for vulnerabilities found in Black Duck products/platforms.

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization based out of the US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.