Zimbra Security Response Policy

Revision as of 03:32, 18 July 2015 by Plobbes (talk | contribs) (Zimbra Security Response Policy)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Zimbra Security Response Policy

Zimbra strongly recognizes that its collaboration and community software platforms hold highly valuable user data and are commonly directly connected to the Internet. We greatly value high security standards and prioritize testing for and fixing security issues in our core and third-party software components.

Zimbra is deeply committed to preventing security breaches that can have a direct and deep impact on all of the following:

  • Customer confidence and satisfaction
  • Service availability
  • Confidentiality of data
  • Customer retention
  • Brand reputation

Zimbra utilizes a Vulnerability Life Cycle workflow based on the NIAC nine-step vulnerability life cycle [reference: [NIAC Vulnerability Disclosure Framework, National Infrastructure Advisory Council, Jan 2004, http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf]:

Step # Detail Responsible Party
1 Research Reporter or Vendor
2 Verification Reporter or Vendor
3 Report Reporter or Vendor
4 Evaluation Vendor or Coordinator
5 Acknowledgement Vendor
6 Repair Vendor
7 Advisory and patch evaluation Vendor
8 Fix or Patch release Vendor
9 Feedback and case closure Reporter or Vendor

When a vulnerability is reported and verified on Zimbra products, Zimbra will use reasonable efforts to quickly fix the reported vulnerability. A fix may take one or more of these forms:

  • A Major or Minor Release of the product.
  • A Maintenance Release or Patch for the affected product.
  • Instructions to upgrade or patch a third-party software component that addresses the vulnerability.
  • A workaround that adjusts the configuration or architecture to mitigate the vulnerability.

For Critical security vulnerabilities, Zimbra will prioritize and release a fix at first opportunity. When a release or patch for a Critical or Major vulnerability becomes available, Zimbra will notify its customers by the following means:

  • Product Release or Patch Notes listing vulnerability, bug number and CVSS Score
  • Additional vulnerability details or acknowledgements at the Zimbra Security Center at https://wiki.zimbra.com/wiki/Security_Center
  • Where determined necessary, Zimbra will also notify customers via the Zimbra Newsletter, Forums, Blogs, Support Portal or other sources.
  • Zimbra may modify, revise or update this Security Response Policy, at any time, by updating this posting. You should visit this page from time to time to review the then-current policy. The most current version of the policy will supersede all previous versions.

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search