Reporting Security Issues
Reporting Security Issues
Zimbra Collaboration Suite and related products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra core application. High priority issues will often be referenced in the Security Center.
Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services." https://cve.mitre.org/
This is usually mirrored by an alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." https://nvd.nist.gov/
The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).
What You Can Do
If you read about a vulnerability within an application that Zimbra uses, you should search Zimbra Bugzilla (bug database) to see if the issue has been reported. If you do not see the issue, see Reporting Vulnerabilities to Zimbra for ways to report vulnerabilities to Zimbra. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, feel free to send email as directed on that page. Please be sure to cite any appropriate references when submitting details a bug/ticket/email.
When You Should Patch
You should only apply official patches provided by Zimbra to Zimbra products.
Utilizing any non-official patches on Zimbra components may result in an unstable system. Zimbra Network Edition customers are advised that use of non-official patches may result in your system not being eligible for Official Network Edition Support, and requests related to such systems may be directed to the Zimbra Forums.
What Not To Do
When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be held until a moderator can determine if the post is legitimate. Please consider following the recommendations in Reporting Vulnerabilities to Zimbra.
What Zimbra Will Do
Depending on the severity, Zimbra will take the following actions:
If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post information related to the threat in our Support Portal, in the Security Center and possibly in the Forums. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect your deployment until Zimbra issues a patch. If the issue is being widely/actively exploited, Zimbra may issue a one off patch in timely fashion to address the issue. Otherwise (for smaller issues), Zimbra will issue a patch on our usual release cycle.
Please reference our Zimbra Security Response Policy for details.
Customers may want to consider subscribing to various public security mailing list to help in being notified of emerging threats.