Blackboard's vulnerability management program is governed by this public-facing Vulnerability Management Commitment and Disclosure Policy on Blackboard.com. No software vendor is perfect – in the event a security vulnerability is identified in a released product, Blackboard's transparent and responsive Security Team is ready to respond. Customers and security researchers have a dedicated security channel they may use to contact the Security Team: LearnSecurity@blackboard.com.
Blackboard is committed to resolving security vulnerabilities quickly and carefully. Such resolutions may lead to the release of a Security Advisory and/or any needed product update for our customers. To protect our customers and their data, we request that vulnerabilities be responsibly and confidentially reported to us so that we may investigate and respond. Vulnerabilities should not be announced until we have developed and comprehensively tested a product update and made it available to licensed customers.
Blackboard’s products are complex. They run on diverse hardware and software configurations, and are connected to many third party applications. All software modifications – big or small – require thorough analysis, as well as development and implementation across multiple product lines and versions. The software must also undergo localization, accessibility, and testing appropriate to its scope, complexity and severity. Given the critical importance of our products to our customers, Blackboard must ensure that they run correctly not only in our testing facilities, but also in customer environments. Accordingly, Blackboard cannot provide product updates according to a set timeline – but we are committed to working expeditiously.
Malicious parties often exploit software vulnerabilities by reverse engineering published security advisories and product updates. It is important for customers to update software promptly and use our severity rating system as a guide to better schedule upgrades. Therefore, public discussion of the vulnerability is only appropriate after customers have an opportunity to obtain product updates.