No software is bug-free, BPM is no exception here. And of course this not only applies to the BPM product code that was developed by IBM, but also to 3rd party components that are either bundled with or required by BPM, such as
– IBM SDK for Java
– IBM WebSphere Application Server
– various open source libraries (such as Dojo) that are shipped in many places of the product.

The good news is that we at IBM are determined to protect our customers and fix security vulnerabilities that are found and publish a disclosure (“security bulletin”).
For any software you run in production, fixes, fix packs and configuration recommendations are published and you should make every effort to keep up to speed with these publications and patch your (production) system if necessary. There are three basic actions you need to take for your BPM environments:

1) Make sure to run the latest fixpack of your supported release
As stated earlier: IBM takes security vulnerabilities in supported products very seriously. They will all be treated in compliance with our documented product incidence process (PSIRT).
For BPM, security fixes to close vulnerabilities are made available on the latest fixpack of every supported (and affected) release at the day when a security bulletin disclosing the vulnerability is published.
Remember the version scheme is Version.Release.Modlevel.Fixpack. As we know customers cannot always move up to newer modification levels, we continue to provide fixes for some code streams for some time. In practice, many security fixes in the code base that originates from the former Lombardi world are made available for
– WebSphere Lombardi Edition 7.2.0.5
– IBM Business Process Manager 7.5.1.2
– IBM Business Process Manager 8.0.1.3
– IBM Business Process Manager 8.5.0.1
– IBM Business Process Manager 8.5.5.0
– IBM Business Process Manager 8.5.6.0
From a security perspective, there is no execuse for being on a version like 7.5.1.0 or 8.0.0.0 or even 8.5.0.1 without having plans to move up.

2) Get available security fixes
If you set up a brand new environment, please ensure to install all available security fixes for the version you just installed. Ideally, you do the right after installation prior to create a deployment environment. While we target to mark all security fixes as “recommended”, there can be cases where this is only possible for fix central downloads, but not in the live repository for Installation Manager. This can be due to post installation actions.
The recommended approach to find available security fixes is to go to the IBM Support Portal, select your product and version and hit “Go”. On the resulting page, there is a link to “Flashes, alerts and bulletins”.

It is important to note that security bulletins for bundled products are published for vulnerabilities with high media coverage (like recent SSL vulnerabilities Heartbleed, POODLE or FREAK). In the case of BPM, please also look at security bulletins for IBM WebSphere Application Server (WAS) which is the technology base underneath BPM. Given the BPM product structure, you can apply WebSphere Application Server fixes and fixpacks to your BPM environment. There is no need to wait for a “BPM repackaged fix for WAS”.

3) Subscribe to future security bulletins
You do not need to visit IBM Support Portal every day to check if new security bulletins have been published. There is a subscription feature that lets you select all your IBM products and register for email notification for any flashes and security bulletins.

Again, make sure to not only subscribe to BPM, but also WebSphere Application Server – and in case you are using additional IBM products like DB2, IBM Security Directory Server and IBM HTTP Server, make sure to subscribe for those as well.