TIBCO Vulnerability Disclosure Policy

<< Back to Security@TIBCO

What is TIBCO’s security vulnerability disclosure policy?

TIBCO takes security very seriously. TIBCO’s policies are designed to treat the users of our software equally with respect to vulnerability disclosure and remediation. Regardless of the myriad industries, types of customer engagements, and types of deployments of TIBCO's software, including enterprise installs, open source projects, custom service engagements, and cloud-hosted solutions, our policies are designed to give all our users equal access to security vulnerability information and remediations that are identified in TIBCO's products. For clarity and simplicity, even though some users of TIBCO software may not have paid for access to our software, this document refers to all users and customers affected by security considerations as "customers." We adhere to the following principles:

  • Fair Disclosure - Our principle of fair disclosure requires that all customers be made aware of a vulnerability at the same time. No customer may be privileged with information from TIBCO regarding vulnerabilities in advance of any other customer.
  • Fair Remediation - Our principle of fair remediation requires that all customers receive access to remediation at the same time. As with Fair Disclosure, no customer may be privileged with a remediation in advance of others. All TIBCO security releases are general availability releases, available to all current customers.
  • Disclosure With Remediation - When we disclose, we provide information and/or upgrades that the customer can deploy to protect themselves. In the case of an active exploit TIBCO may disclose vulnerability information in advance of remediation availability in order to allow customers to implement compensating controls prior to the release of full remediation information and/or upgrades.

How does TIBCO work with security researchers?

  • Coordinated Disclosure - TIBCO encourages security researchers to report to us any vulnerabilities that they find in our offerings. Our principle of coordinated disclosure requires that we work together in a constructive manner with security researchers who report vulnerabilities to ensure that the vulnerability is fully remediated and subsequent disclosure is coordinated.
  • Providing Credit - TIBCO credits researchers in our public announcements for qualifying disclosures, unless otherwise requested.

What Issues Qualify for Credit?

Vulnerabilities must be of “medium” CVSS severity or greater as determined by TIBCO.

How do I report a security vulnerability in a TIBCO offering to TIBCO?

Potential security issues can be brought to the attention of our Product Security Incident Response Team (PSIRT) through the following methods:

If you wish to send us sensitive information use the TIBCO Security PGP key (also available here). If you have difficulty with both those locations, you can download the public key directly from TIBCO

No matter what method used to contact TIBCO you will receive a response acknowledging the receipt of your message. TIBCO will follow up once we have reviewed the information provided.

What happens when a security vulnerability is reported to TIBCO?

TIBCO Product Security Incident Response Team (PSIRT) manages the receipt, investigation, internal coordination, and response to security vulnerability information related to all TIBCO offerings. The team coordinates with product teams when potential security vulnerabilities come to TIBCO's attention. This coordination ensures that the vulnerabilities are resolved in a timely manner consistent with our policies.

<< Back to Security@TIBCO