TIBCO takes security very seriously. TIBCO’s policies are designed to treat the users of our software equally with respect to vulnerability disclosure and remediation. Regardless of the myriad industries, types of customer engagements, and types of deployments of TIBCO's software, including enterprise installs, open source projects, custom service engagements, and cloud-hosted solutions, our policies are designed to give all our users equal access to security vulnerability information and remediations that are identified in TIBCO's products. For clarity and simplicity, even though some users of TIBCO software may not have paid for access to our software, this document refers to all users and customers affected by security considerations as "customers." We adhere to the following principles:
Vulnerabilities must be of “medium” CVSS severity or greater as determined by TIBCO.
Potential security issues can be brought to the attention of our Product Security Incident Response Team (PSIRT) through the following methods:
If you wish to send us sensitive information use the TIBCO Security PGP key (also available here). If you have difficulty with both those locations, you can download the public key directly from TIBCO
No matter what method used to contact TIBCO you will receive a response acknowledging the receipt of your message. TIBCO will follow up once we have reviewed the information provided.
TIBCO Product Security Incident Response Team (PSIRT) manages the receipt, investigation, internal coordination, and response to security vulnerability information related to all TIBCO offerings. The team coordinates with product teams when potential security vulnerabilities come to TIBCO's attention. This coordination ensures that the vulnerabilities are resolved in a timely manner consistent with our policies.