Security Advisories for OX App Suite are published to help operators identify mitigations for vulnerabilities and to assess the impact on a specific deployment. Solutions for vulnerabilities are provided well ahead of public disclosure to reduce the risk of exploitation.

This page is the authoritative source for security advisories. Resources are available in CSAFopen in new window, HTMLopen in new window, Markdownopen in new window and plain-textopen in new window format.

Coordinated disclosure

Details on vulnerabilities are published after a reasonable time has passed for operators and software distributions to provide and integrate security updates. This embargo time spans at least 15 and maximum 90 days after providing a security update.

Advisories are publicly shared on this website, CVE.orgopen in new window and the fulldisclosureopen in new window mailing-list.


As a CVE CNAopen in new window Open-Xchange takes ownership of assigning and managing CVE IDs for its entire product range. Each recognized vulnerability gets a unique CVE ID assigned, and information for the CVE record is published when security advisories become public.

If you have discovered a vulnerability in any of our products, please get in touch to have a CVE assigned and coordinate the disclosure process.


Open-Xchange is committed to implementing industry standards and to improving security automation. Advisories are published using the CSAFopen in new window framework, and Open-Xchange is a trusted CSAF provider. Machine-readable information on distribution and signing can be found at our provider-metadata.jsonopen in new window.

URN parsing

CSAF documents with security advisories for OX App Suite 7 use x_generic_uris that provide a custom uri attribute which has a value like urn:open-xchange:app_suite:patch-id:1234. 1234 is a 4 digit reference number used to identify related patch releases as published in our release notes documentationopen in new window.


RFC9116 (https://securitytxt.org/open in new window) is being used to publish information about security contacts, VDP, bug-bounty programs and advisory locations to allow automated consumption of security policies and artifacts. Operators are welcome to use those resources to enhance their security automation capabilities. Our primary RFC9116 resource is available at https://www.open-xchange.com/.well-known/security.txtopen in new window.

Other products

Please find security advisories for other parts of our product range at their respective documentation portals.