Zimbra Responsible Disclosure Policy
Zimbra Responsible Disclosure Policy
Zimbra will publicly acknowledge Reporter of the vulnerability discovery if Reporter strictly meets the following criteria and wishes to be acknowledged.
- Reporter: the initial identifier of the vulnerability, either as reported to Zimbra directly or to a responsible Coordinator. Also known as the Discoverer, Originator or Researcher.
- Coordinator: optional third-party that facilitates the public release of vulnerability information. Examples of well-recognized responsible Coordinators include the following:
- Vendor(s): repairer(s) of the vulnerability and/or software that contains a vulnerability, generally referring to Zimbra but may include other commercial or pen-source software developers
- Users: end user or administrator of the software, includes commercial and open-source customers and partners
- Hybrid disclosure: a benign user or researcher does not announce the vulnerability knowledge to the public immediately, but instead allows the vendor some time to develop a patch. [H. Cavusoglu, H. Cavusoglu, and S. Raghunathan, “Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge”, 2007]
- Acknowledgement: public recognition of the Reporter for responsible vulnerability disclosure
Responsible Disclosure and Reporter Acknowledgement Policy:
- The Reporter must be the initial identifier of the vulnerability, either as reported to Zimbra directly or to a responsible Coordinator.
- Reporter must notify only Zimbra or a responsible Coordinator, such as CERT, of the vulnerability.
- Within seven business days of initial contact by the Reporter, Zimbra should promptly acknowledge, with a personal response rather than an automated message, that it has received the report. If the Vendor does not send a satisfactory acknowledgement, the Reporter should attempt to escalate the issue with the Vendor. If the Reporter is still unsuccessful, he or she should seek the assistance of a responsible third-party Coordinator who may have existing credibility and open channels of communication with the Vendor. [reference: NIAC Vulnerability Disclosure Framework, National Infrastructure Advisory Council, Jan 2004, http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf]
- When reporting a security vulnerability to Zimbra, the Reporter should provide, via encrypted communication, all technical information and related materials the Vendor would need to reproduce the issue. The Reporter should also provide complete revision information, including his or her implementation’s current patch level, and a description of the technology’s environment (e.g. hardware, configuration, other applications installed, relevant details about the network topology, firewall rules, and anything else that may be of use). The Reporter should provide this information only after receiving acknowledgement from Zimbra and knowing with certainty that the information provided is going to the correct group. If the Reporter shares exploit code, the Reporter, Zimbra, and any involved Coordinator should use extreme care to ensure that it is properly labeled and protected. The Reporter should immediately notify Zimbra or Coordinator of any new information or errors in the original report. [reference: NIAC Vulnerability Disclosure Framework, National Infrastructure Advisory Council, Jan 2004]
- The Reporter must act to protect the information from leaking to external parties between the time of reporting it to the Vendor and final public release. [NIAC Vulnerability Disclosure Framework, National Infrastructure Advisory Council, Jan 2004]
- The vulnerability must be verified and CVSS scored by Zimbra or responsible Coordinator.
- Zimbra will continue to keep Reporter apprised of the progress of a patch or release to fix the vulnerability.
- Reporter must agree to hold all vulnerability details private until at least 30 days after a patch or release that fixes the issue has been made generally available (“GA”) for the product. Upon 30 days after a patch or release is released, the Reporter may choose to publish detailed information, but may not publish an exploit under any circumstances.
- Zimbra will publicly acknowledge the Reporter - if the Reporter approves of Acknowledgement - within 30 days after the release of an Release or Patch that addresses the problem, through the Zimbra Security Center at this location: http://www.zimbra.com/security/
- Zimbra may modify, revise or update this Responsible Disclosure Policy, at any time, by updating this posting. You should visit this page from time to time to review the then-current policy. The most current version of the policy will supersede all previous versions.
Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »
Want to get involved?
You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »
Other Help Resources
Looking for a Video?
Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »