Security Patch Release

General

Open-Xchange takes security related topics very seriously. In order to provide customers and their users a safe and reliable working environment, security vulnerabilities are handled with high priority and are covered by an optimized delivery process. We believe that security issues must be communicated very openly, at the same time protecting customers that may be affected by vulnerabilities.

Delivery

To provide input to the software security community, we publish security issues once they have been identified and a Patch Release has been provided to customers with sufficient time to respond and roll out these Patch Releases. Therefor, we’ve chosen a hybrid model of responsible-disclosure and full-disclosure when announcing vulnerabilities. Open-Xchange is very eager to get feedback from the security community about unknown issues and is committed to resolve them quickly without bureaucracy hassle. Vulnerabilities are discussed within Open-Xchange prior to providing a Security Patch Release to ensure customers can request deployment information from their Support or Services contacts.

Metrics and Frameworks

When vulnerabilities are discovered, either internally at Open-Xchange or externally, they get evaluated using industry standard metrics such as CVSS (Common Vulnerability Scoring System), CWE (Common Weakness Enumeration) and get identified by CVE-IDs (Common Vulnerability and Exposures). This information is made available through Patch Release Notes once the vulnerability has been solved by providing a Patch Release. These Release Notes do not contain specific information about the vulnerability to make sure customers are protected until public disclosure.

Public disclosure

Public disclosure is performed using the “Bugtraq” Mailing List and contains detailed information about the vulnerability as well as a history of the vulnerabilities discovery process. These postings can be used to map CVE-Identifiers from the Release Notes with the detailed description of the vulnerability. The public announcement usually takes place within 5 to 10 business days after a Security Patch Release as has been provided to all customers. To avoid exploitation of known security issues, please make sure to update to a Security Patch Release as quickly as possible.

Limitations

Please note that Security Patch Releases are provided for Open-Xchange versions that are supported at the time of vulnerability discovery.

References

• CVSS: http://www.first.org/cvss
• CWE: http://cwe.mitre.org/
• CVE: http://cve.mitre.org/
• Bugtraq: http://www.securityfocus.com/