Overview
Security Advisories for OX App Suite are published to help operators identify mitigations for vulnerabilities and to assess the impact on a specific deployment. Solutions for vulnerabilities are provided well ahead of public disclosure to reduce the risk of exploitation.
This page is the authoritative source for security advisories. Resources are available in CSAF, HTML, Markdown and plain-text format.
Coordinated disclosure
Details on vulnerabilities are published after a reasonable time has passed for operators and software distributors to provide and integrate security updates. This embargo spans a minimum of 15 days and a maximum of 90 days after releasing a security update.
Customers with an NDA and the explicit interest and capability to handle earlier disclosure notifications are informed about details before and at the time of the release. Since this means sharing sensitive information about vulnerabilities whose solutions are not yet widely deployed, we need to restrict access on a "need to know" basis to avoid exploitation.
A timeline including discovery, remediation and release dates is included in the advisory. Note that the "publication date" refers to the "initial release date" of the advisory to our customers. The public may not be aware about this advisory until the "public release date".
Our public release documentation does not contain details about fixed vulnerabilities. This information is instead provided through advisories on this website and other distribution channels like CVE.org (GitHub login required) and the fulldisclosure mailing-list.
CVE
As a CVE CNA Open-Xchange takes ownership of assigning and managing CVE IDs for its entire product range. Each recognized vulnerability gets a unique CVE ID assigned, and information for the CVE record is published when security advisories become public.
If you have discovered a vulnerability in any of our products, please get in touch to have a CVE assigned and coordinate the disclosure process.
TLP
Open-Xchange uses the Traffic Light Protocol and the defined labels to describe the intended audience to share advisories. Recipients of advisories must inform themselves about appropriate handling and maintain the TLP label when sharing the advisory further.
CSAF
Open-Xchange is committed to implementing industry standards and to improving security automation. Advisories are published using the CSAF framework, and Open-Xchange is a trusted CSAF provider. Machine-readable information on distribution and signing can be found at our provider-metadata.json.
URN parsing
CSAF documents with security advisories for OX App Suite 7 use x_generic_uris
that provide a custom uri
attribute which has a value like urn:open-xchange:app_suite:patch-id:1234
. 1234
is a 4 digit reference number used to identify related patch releases as published in our release notes documentation.
security.txt
RFC9116 (https://securitytxt.org/) is being used to publish information about security contacts, VDP, bug-bounty programs and advisory locations to allow automated consumption of security policies and artifacts. Operators are welcome to use those resources to enhance their security automation capabilities. Our primary RFC9116 resource is available at https://www.open-xchange.com/.well-known/security.txt.
Other products
Please find security advisories for other parts of our product range at their respective documentation portals.