Responsible Disclosure for better Security

Jun 6, 2016

Here at Open-Xchange, as you would expect, we take security very seriously. In order to provide safe and reliable software for our customers and their users we believe security vulnerabilities must be handled with high priority and communicated very openly.

As such, we operate a hybrid model of responsible-disclosure and full-disclosure when announcing vulnerabilities. Customers who sign up to our full-disclosure program are alerted whenever we find a vulnerability, which enables them to best decide how to handle the issue. Then, once the issue has been investigated and a patch developed and released to customers, we publish information about the vulnerability to the community. This has the joint effect of protecting our customers from these vulnerabilities and contributing to the health of the wider software security community.

This excellent blog post from security sage Bruce Schneier further details the history of responsible and full disclosure which I thoroughly recommend you read!

We share information around vulnerabilities using the ‘Bugtraq’ mailing list, including a history of the vulnerability discovery process. These patch notes can be used by other developers to map common vulnerability identifiers and strengthen their software against them. We also publish vulnerabilities to the Mitre CVE database.

Responsible disclosure is one of many security processes we have in place here at Open-Xchange. We have been awarded the ISO 27001 certification by TÜV Rheinland, one of the most rigorous standards bodies in the world. We also hold quarterly security meetings to review new features and vulnerabilities as well as yearly penetration testing and/or code reviews.

For more details on our responsible disclosure program and patch release process, please visit http://knowledgebase.open-xchange.com/support/security-patch-release.html.

About the author

Neil Cook

Neil Cook

PowerDNS Head of Product

Categories

Related Articles

Dovecot Pro and Lua

As 2019 begins, we at Open-Xchange would like to provide you with an update and a few details regarding the latest Dovecot...

Michael Sluzars Feb 14, 2019

From Latin America to the Far East

The summer of TES in 2018 goes all around the planet – and for a project that was born in the heart of Europe, this is a...

Vittorio Bertola Aug 28, 2018

Keeping your family safe and secure online

Securing all of the various devices in your home is vital to prevent cyber-attacks and to close gateways to harmful content....

Alexander ter Haar Aug 27, 2018

Introducing OX Summit Partner: Vade Secure

According to Cofense, a successful phishing attack costs a mid-sized organization $1.6 million on average. Moreover, FBI...

Frederic Maussion Aug 21, 2018