Difference between revisions of "Reporting Security Issues"

(New page: Zimbra Collaboration Suite, and it's products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party produ...)
 
(editing for grammar and style, adding Template:Article Footer, and Category:Troubleshooting)
Line 1: Line 1:
Zimbra Collaboration Suite, and it's products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra Core application.  
+
Zimbra Collaboration Suite, and its products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra core application.  
  
 
=Understanding Vulnerabilities=
 
=Understanding Vulnerabilities=
 
Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services."  http://cve.mitre.org/
 
Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services."  http://cve.mitre.org/
  
This is usually mirrored by a alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." http://nvd.nist.gov/
+
This is usually mirrored by an alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." http://nvd.nist.gov/
  
 
The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).
 
The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).
  
 
=What You Can Do=
 
=What You Can Do=
If you read about a vulnerability within an application that Zimbra uses, you should search our bugzilla database to see if the issue has been reported to us. If you do not see the issue, please file a bug. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, please feel free to send a note (whether Open Source or Network Edition customer) to support@zimbra.com. Please cite a reference when submitting a notification.
+
If you read about a vulnerability within an application that Zimbra uses, you should search our [http://bugzilla.zimbra.com| Bugzilla database] to see if the issue has been reported. If you do not see the issue, please file a bug. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, please feel free to send a note (whether Open Source or Network Edition customer) to support@zimbra.com. Please cite a reference when submitting a notification.
  
 
==When You Should Patch==
 
==When You Should Patch==
Zimbra usually does not recommend users directly patch any component within Zimbra Collaboration Suite. Performing such an action introduces a component which has not been "QA'ed", and may result in an unstable system.
+
Zimbra usually does not recommend users directly patch any component within Zimbra Collaboration Suite. Performing such an action introduces a component which has not been QA'ed, and may result in an unstable system.
  
Zimbra Network Edition Customers are advised that patching may result in your system not being eligible for Official Network Edition Support, and you may be directed to the Zimbra Forums.
+
Zimbra Network Edition customers are advised that patching may result in your system not being eligible for Official Network Edition Support, and you may be directed to the Zimbra Forums.
  
 
=What Not To Do=
 
=What Not To Do=
When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be moderated until we can look at it and determine if it's legit.
+
When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be moderated until we can look at it and determine if it's legitimate.
  
  
Line 24: Line 24:
 
Depending on the severity, Zimbra will take the following actions:
 
Depending on the severity, Zimbra will take the following actions:
  
If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post the threat in our Support Portal. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect you until Zimbra issues a patch. If the issue is widely being exploited in the wild, Zimbra will issue a patch within a few days. Otherwise (for smaller issues), Zimbra will issue a patch on our regular release cycle. http://pm.zimbra.com/
+
If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post the threat in our Support Portal. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect your deployment until Zimbra issues a patch. If the issue is widely being exploited in the wild, Zimbra will issue a patch within a few days. Otherwise (for smaller issues), Zimbra will issue a patch on our regular release cycle. http://pm.zimbra.com/
  
After we are sure that our notice has been delivered to NE Customers, and we've given them time to assess and protect themselves, we will post a notice in our Forums to notify our Open Source Community. Notice is only published in our Forums for MAJOR threats, and you should not only rely on the forums for all notifications of all vulnerabilities.  
+
After we are sure that our notice has been delivered to NE Customers, and we've given them time to assess and protect themselves, we will post a notice in our Forums to notify our Open Source Community. Notice is only published in our Forums for '''major''' threats, and you should not only rely on the forums for all notifications of all vulnerabilities.  
  
 
We suggest that all customers subscribe to some sort of security mailing list to ensure that you're among the first to be notified.
 
We suggest that all customers subscribe to some sort of security mailing list to ensure that you're among the first to be notified.
 +
 +
 +
{{Article Footer|n/a|5/12/2008}}
 +
 +
[[Category:Troubleshooting]]

Revision as of 20:44, 12 May 2008

Zimbra Collaboration Suite, and its products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra core application.

Understanding Vulnerabilities

Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services." http://cve.mitre.org/

This is usually mirrored by an alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." http://nvd.nist.gov/

The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).

What You Can Do

If you read about a vulnerability within an application that Zimbra uses, you should search our Bugzilla database to see if the issue has been reported. If you do not see the issue, please file a bug. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, please feel free to send a note (whether Open Source or Network Edition customer) to support@zimbra.com. Please cite a reference when submitting a notification.

When You Should Patch

Zimbra usually does not recommend users directly patch any component within Zimbra Collaboration Suite. Performing such an action introduces a component which has not been QA'ed, and may result in an unstable system.

Zimbra Network Edition customers are advised that patching may result in your system not being eligible for Official Network Edition Support, and you may be directed to the Zimbra Forums.

What Not To Do

When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be moderated until we can look at it and determine if it's legitimate.


What Zimbra Will Do

Depending on the severity, Zimbra will take the following actions:

If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post the threat in our Support Portal. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect your deployment until Zimbra issues a patch. If the issue is widely being exploited in the wild, Zimbra will issue a patch within a few days. Otherwise (for smaller issues), Zimbra will issue a patch on our regular release cycle. http://pm.zimbra.com/

After we are sure that our notice has been delivered to NE Customers, and we've given them time to assess and protect themselves, we will post a notice in our Forums to notify our Open Source Community. Notice is only published in our Forums for major threats, and you should not only rely on the forums for all notifications of all vulnerabilities.

We suggest that all customers subscribe to some sort of security mailing list to ensure that you're among the first to be notified.


Verified Against: n/a Date Created: 5/12/2008
Article ID: https://wiki.zimbra.com/index.php?title=Reporting_Security_Issues Date Modified: 2008-05-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search