Reporting Security Issues
Zimbra Collaboration Suite, and its products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra core application.
Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services." http://cve.mitre.org/
This is usually mirrored by an alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." http://nvd.nist.gov/
The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).
What You Can Do
If you read about a vulnerability within an application that Zimbra uses, you should search our Bugzilla database to see if the issue has been reported. If you do not see the issue, please file a bug. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, please feel free to send a note (whether Open Source or Network Edition customer) to support@ or security@ this domain. Please cite a reference when submitting a notification.
When You Should Patch
Zimbra usually does not recommend users directly patch any component within Zimbra Collaboration Suite. Performing such an action introduces a component which has not been QA'ed, and may result in an unstable system.
Zimbra Network Edition customers are advised that self patching may result in your system not being eligible for Official Network Edition Support, and you may be directed to the Zimbra Forums.
You should only apply patches when provided officially by Zimbra.
What Not To Do
When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be moderated until we can look at it and determine if it's legitimate.
What Zimbra Will Do
Depending on the severity, Zimbra will take the following actions:
If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post the threat in our Support Portal. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect your deployment until Zimbra issues a patch. If the issue is widely being exploited in the wild, Zimbra will issue a patch within a few days. Otherwise (for smaller issues), Zimbra will issue a patch on our regular release cycle. http://pm.zimbra.com/
After we are sure that our notice has been delivered to NE Customers, and we've given them time to assess and protect themselves, we will post a notice in our Forums to notify our Open Source Community. Notice is only published in our Forums for major threats, and you should not only rely on the forums for all notifications of all vulnerabilities.
We suggest that all customers subscribe to some sort of security mailing list to ensure that you're among the first to be notified.
Zimbra PGP Keys
pub 1024D/C089A521 2009-07-09 Zimbra Security <email@example.com>
pub 1024D/F7DCD42B 2009-07-09 Zimbra Support <firstname.lastname@example.org>