Here at Open-Xchange, as you would expect, we take security very seriously. In order to provide safe and reliable software for our customers and their users we believe security vulnerabilities must be handled with high priority and communicated very openly.
As such, we operate a hybrid model of responsible-disclosure and full-disclosure when announcing vulnerabilities. Customers who sign up to our full-disclosure program are alerted whenever we find a vulnerability, which enables them to best decide how to handle the issue. Then, once the issue has been investigated and a patch developed and released to customers, we publish information about the vulnerability to the community. This has the joint effect of protecting our customers from these vulnerabilities and contributing to the health of the wider software security community.
This excellent blog post from security sage Bruce Schneier further details the history of responsible and full disclosure which I thoroughly recommend you read!
We share information around vulnerabilities using the ‘Bugtraq’ mailing list, including a history of the vulnerability discovery process. These patch notes can be used by other developers to map common vulnerability identifiers and strengthen their software against them. We also publish vulnerabilities to the Mitre CVE database.
Responsible disclosure is one of many security processes we have in place here at Open-Xchange. We have been awarded the ISO 27001 certification by TÜV Rheinland, one of the most rigorous standards bodies in the world. We also hold quarterly security meetings to review new features and vulnerabilities as well as yearly penetration testing and/or code reviews.
For more details on our responsible disclosure program and patch release process, please visit http://knowledgebase.open-xchange.com/support/security-patch-release.html.