Reporting Vulnerabilities to Zimbra: Difference between revisions

(Created page with "{{BC|Security Center}} __NOTOC__ ==Reporting Vulnerabilities to Zimbra== <div class="col-md-12 ibox-content"> <div class="col-md-9"> As described in the Zimbra Responsible Dis...")
 
(update old links, minor whitespace cleanup)
Line 1: Line 1:
{{BC|Security Center}}
{{BC|Security Center}}
__NOTOC__
__NOTOC__
==Reporting Vulnerabilities to Zimbra==
== Reporting Vulnerabilities to Zimbra ==
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
<div class="col-md-9">
<div class="col-md-9">
As described in the Zimbra Responsible Disclosure Policy [http://telligent.com/support/w/security_prgm/41844.zimbra-responsible-disclosure-policy.aspx], it is critical that the Reporter please use the following techniques to report the vulnerability responsibly and securely via encrypted mechanisms. In order to fix and communicate the vulnerability safely to the greatest number of commercial and open-source sites, Zimbra seeks to build a partnership with its Researchers to identify, verify, patch and release software in such a way as to allow sites to be protected against a vulnerability prior to the release of public information on the vulnerability. In turn, when the Zimbra Responsible Disclosure Policy is followed by the Reporter, Zimbra will acknowledge the Reporter of the found vulnerability on the Zimbra Security Center [http://www.zimbra.com/security/].
As described in the [[Zimbra Responsible Disclosure Policy]], it is critical that the Reporter please use the following techniques to report the vulnerability responsibly and securely via encrypted mechanisms. In order to fix and communicate the vulnerability safely to the greatest number of commercial and open-source sites, Zimbra seeks to build a partnership with its Researchers to identify, verify, patch and release software in such a way as to allow sites to be protected against a vulnerability prior to the release of public information on the vulnerability. In turn, when the Zimbra Responsible Disclosure Policy is followed by the Reporter, Zimbra will acknowledge the Reporter of the found vulnerability on the Zimbra [Security Center].
===Reporting Vulnerability Securely to Zimbra===
 
=== Reporting Vulnerability Securely to Zimbra ===
The following methods are acceptable methods of reporting issues securely via encrypted mechanisms:
The following methods are acceptable methods of reporting issues securely via encrypted mechanisms:
====1. Email security@zimbra.com====
 
==== 1. Email security@zimbra.com ====
Email can be used for reporting vulnerabilities, but the following steps must be followed:
Email can be used for reporting vulnerabilities, but the following steps must be followed:
* a. Reporter will notify security@zimbra.com that a vulnerability has been identified.
* a. Reporter will notify security@zimbra.com that a vulnerability has been identified.
* b. Within seven business days of initial contact by the Reporter, Zimbra should promptly acknowledge, with a personal response rather than an automated message, that it has received the report and is requesting additional details.
* b. Within seven business days of initial contact by the Reporter, Zimbra should promptly acknowledge, with a personal response rather than an automated message, that it has received the report and is requesting additional details.
* c. Reporter will email the additional details using an encrypted mechanism. Our recommended approach for email is to encrypt the details using Zimbra Security's public PGP/GPG key:
* c. Reporter will email the additional details using an encrypted mechanism. Our recommended approach for email is to encrypt the details using Zimbra Security's public PGP/GPG key:
=====Zimbra Security Public PGP/GPG key=====
 
http://pgp.mit.edu/pks/lookup?search=security%40zimbra.com&op=index
===== Zimbra Security Public PGP/GPG key =====
https://pgp.mit.edu/pks/lookup?search=security%40zimbra.com


'''Current Key:''' pub  4096R/87B26192 2014-05-15 Zimbra Security <security@zimbra.com>
'''Current Key:''' pub  4096R/87B26192 2014-05-15 Zimbra Security <security@zimbra.com>
* This key is also available at this Zimbra URL: [http://files.zimbra.com/downloads/support/zimbra-security.gpg]
* This key is also available at this Zimbra URL: [https://files.zimbra.com/downloads/support/zimbra-security.gpg]
'''Previous Key:''' pub 1024D/C089A521 2009-07-09 Zimbra Security <security@zimbra.com>  
'''Previous Key:''' pub 1024D/C089A521 2009-07-09 Zimbra Security <security@zimbra.com>  


Line 23: Line 26:
* Complete revision information, including his or her implementation’s current version or patch level, and a description of the technology’s environment (e.g. hardware, configuration, other applications installed, relevant details about the network topology, firewall rules, and anything else that may be of use).
* Complete revision information, including his or her implementation’s current version or patch level, and a description of the technology’s environment (e.g. hardware, configuration, other applications installed, relevant details about the network topology, firewall rules, and anything else that may be of use).


* d. Zimbra will confirm the receipt of the details, and will verify and proceed with the vulnerability response, as defined here: http://telligent.com/support/w/security_prgm/41844.zimbra-responsible-disclosure-policy.aspx
* d. Zimbra will confirm the receipt of the details, and will verify and proceed with the vulnerability response, as defined here: https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy


====2. Bugzilla====
==== 2. Bugzilla ====
Vulnerabilities can also be added directly by Reporter to the Zimbra public Bugzilla system. If reporting via Bugzilla, please be sure that the bug is set to '''"Make bug visible only to reporter and Zimbra"''':
Vulnerabilities can also be added directly by Reporter to the Zimbra public Bugzilla system. If reporting via Bugzilla, please be sure that the bug is set to '''"Make bug visible only to reporter and Zimbra"''':
* a. File bug at [https://bugzilla.zimbra.com https://bugzilla.zimbra.com] (Reporter will need to create an account on that system if they do not already have one - creating an account can be performed via self-service)
* a. File bug at https://bugzilla.zimbra.com (Reporter will need to create an account on that system if they do not already have one - creating an account can be performed via self-service)
* b. Select the correct product, Zimbra Collaboration ("ZCS") or Zimbra Desktop ("ZD")
* b. Select the correct product, Zimbra Collaboration ("ZCS") or Zimbra Desktop ("ZD")
* c. Select the Version and Component - as appropriate
* c. Select the Version and Component - as appropriate
Line 33: Line 36:
* e. Include reproduction details and/or exploit proof-of-concept
* e. Include reproduction details and/or exploit proof-of-concept
* f. Notify Zimbra via email at '''security@zimbra.com''' that the bug has been filed and provide the bug number.
* f. Notify Zimbra via email at '''security@zimbra.com''' that the bug has been filed and provide the bug number.
====3. Support Case====
 
For Supported Customers/Partners, open a Support Case with Zimbra Support at [https://support.zimbra.com https://support.zimbra.com]
==== 3. Support Case ====
====4. Coordinator====
For Supported Customers/Partners, open a Support Case with Zimbra Support at https://support.zimbra.com
 
==== 4. Coordinator ====
Reporter may report the issue directly to a responsible Coordinator, such as CERT [https://forms.cert.org/VulReport/ https://forms.cert.org/VulReport/]. However, Zimbra would prefer that the vulnerability is initially reported directly to Zimbra and provide us the first opportunity to verify and, if necessary, fix the vulnerability directly in a working partnership with the Reporter.
Reporter may report the issue directly to a responsible Coordinator, such as CERT [https://forms.cert.org/VulReport/ https://forms.cert.org/VulReport/]. However, Zimbra would prefer that the vulnerability is initially reported directly to Zimbra and provide us the first opportunity to verify and, if necessary, fix the vulnerability directly in a working partnership with the Reporter.
</div>
</div>

Revision as of 00:45, 18 August 2015

Reporting Vulnerabilities to Zimbra

As described in the Zimbra Responsible Disclosure Policy, it is critical that the Reporter please use the following techniques to report the vulnerability responsibly and securely via encrypted mechanisms. In order to fix and communicate the vulnerability safely to the greatest number of commercial and open-source sites, Zimbra seeks to build a partnership with its Researchers to identify, verify, patch and release software in such a way as to allow sites to be protected against a vulnerability prior to the release of public information on the vulnerability. In turn, when the Zimbra Responsible Disclosure Policy is followed by the Reporter, Zimbra will acknowledge the Reporter of the found vulnerability on the Zimbra [Security Center].

Reporting Vulnerability Securely to Zimbra

The following methods are acceptable methods of reporting issues securely via encrypted mechanisms:

1. Email security@zimbra.com

Email can be used for reporting vulnerabilities, but the following steps must be followed:

  • a. Reporter will notify security@zimbra.com that a vulnerability has been identified.
  • b. Within seven business days of initial contact by the Reporter, Zimbra should promptly acknowledge, with a personal response rather than an automated message, that it has received the report and is requesting additional details.
  • c. Reporter will email the additional details using an encrypted mechanism. Our recommended approach for email is to encrypt the details using Zimbra Security's public PGP/GPG key:
Zimbra Security Public PGP/GPG key

https://pgp.mit.edu/pks/lookup?search=security%40zimbra.com

Current Key: pub 4096R/87B26192 2014-05-15 Zimbra Security <security@zimbra.com>

  • This key is also available at this Zimbra URL: [1]

Previous Key: pub 1024D/C089A521 2009-07-09 Zimbra Security <security@zimbra.com>

The following details should be included in the encrypted email contents:

  • All technical information and related materials the Vendor would need to reproduce the issue.
  • Complete revision information, including his or her implementation’s current version or patch level, and a description of the technology’s environment (e.g. hardware, configuration, other applications installed, relevant details about the network topology, firewall rules, and anything else that may be of use).

2. Bugzilla

Vulnerabilities can also be added directly by Reporter to the Zimbra public Bugzilla system. If reporting via Bugzilla, please be sure that the bug is set to "Make bug visible only to reporter and Zimbra":

  • a. File bug at https://bugzilla.zimbra.com (Reporter will need to create an account on that system if they do not already have one - creating an account can be performed via self-service)
  • b. Select the correct product, Zimbra Collaboration ("ZCS") or Zimbra Desktop ("ZD")
  • c. Select the Version and Component - as appropriate
  • d. Select "Make bug visible only to reporter and Zimbra"
  • e. Include reproduction details and/or exploit proof-of-concept
  • f. Notify Zimbra via email at security@zimbra.com that the bug has been filed and provide the bug number.

3. Support Case

For Supported Customers/Partners, open a Support Case with Zimbra Support at https://support.zimbra.com

4. Coordinator

Reporter may report the issue directly to a responsible Coordinator, such as CERT https://forms.cert.org/VulReport/. However, Zimbra would prefer that the vulnerability is initially reported directly to Zimbra and provide us the first opportunity to verify and, if necessary, fix the vulnerability directly in a working partnership with the Reporter.

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search