Responsible Disclosure

Blackbaud and our Cyber Security program is committed to the security of our systems, products, and our customer information. We appreciate the valuable contributions of the Cyber Security community.

In order to work with us better, we’d like to share a few guidelines on reporting vulnerabilities to us. We expect that each security researcher aligns with our core values throughout their engagement with us. This will help facilitate a collaborative working environment and instills trust in all participants of the engagement. Blackbaud core values are: We work as One, We bring heart, We invent possibilities, We expect the best, We give back.

If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below.

*Please note, Blackbaud does not operate a bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

Out Of Scope Targets

Testing is strictly prohibited against the following targets:


Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

Provide Blackbaud reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly. Blackbaud will work with the security researcher and indicate approval for sharing publicly.

  • Provide Blackbaud with all appropriate information to quickly resolve the issue and minimize confusion around what was discovered and how.
  • Do not engage in any activity that can potentially or actually cause harm to Blackbaud, our customers, or our employees.
  • Do not engage in any activity that can potentially or actually stop or degrade Blackbaud services or assets.
  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
  • Do not store, share, compromise or destroy Blackbaud or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Blackbaud. This step protects any potentially vulnerable data, and you.

By responsibly submitting your findings to Blackbaud in accordance with these guidelines Blackbaud agrees not to pursue legal action against you. Blackbaud reserves all legal rights in the event of noncompliance with these guidelines.

Once a report is submitted, Blackbaud commits to provide prompt acknowledgement of receipt of all reports and will keep you reasonably informed of the status of any validated vulnerability that you report through this program. Blackbaud does not commit to any SLA that the issues will be addressed and thus a point in time when the security researcher may share the information publicly.

Vulnerability Submissions

Our vulnerability disclosure program is hosted and managed by BugCrowd. Please submit any vulnerability reports by using the form below: