Assessments

BSI IT-Grundschutz 2023 sections covered by this page

• CON.8
• OPS.1.1.1
• OPS.1.1.6
• APP.3.1

Open-Xchange has the following programs in place to independently detect security vulnerabilities:

• External security assessments – Conducted by companies specialising in such assessments. These consist of code review and/or penetration testing.
• Bug Bounty program – A program to reward and thus incentivize security researchers to find vulnerabilities in OX App Suite.
• Vulnerability Disclosure Program - A program to easily report any kind of vulnerability at any asset without the expectation of financial reward.

External security assessments

External security assessments are performed using a specific scope, usually focusing on new features with relevancy to secure operations. Full reports are available on demand. We use a risk-based approach based on current developments to decide which methodology and scope yields the highest return on investment for such external reviews.

Besides application specific evaluation and code reviews for OX App Suite, Open-Xchange procures full-stack security reviews as part of its OX Cloud offering. OX App Suite is a critical component of that service and is covered by dynamic penetration tests against the platform.

Assessment overview

The following external security assessments related to OX App Suite have been performed since its initial release in 2013.

2024

• Code-Review and dynamic testing of Redis Session Management
• Auditing of Kubernetes cluster configuration of OX Cloud

2022

• Penetration test of OX Cloud SOAP API and CMC

2021

• Code Review and penetration test of OX App Suite Chat functionality
• Auditing of Kubernetes cluster configuration of OX Cloud

2020

• External network penetration test of OX Cloud and penetration test of OX App Suite

2019

• Penetration test of the OX App Suite multifactor authentication functionality
• External network penetration test of OX Cloud and penetration test of OX App Suite

2018

• External network penetration test of OX Cloud and penetration test of OX App Suite

2017

• External network penetration test of OX Cloud and penetration test of OX App Suite

2016

• Code Review of the OX Guard codebase

2015

• Web application penetration test of OX App Suite

2014

• Web application penetration test of OX App Suite
• Code Review of the OX Guard codebase

2013

• Web application penetration test of OX App Suite

Operators security assessments

It is common that operators perform their own in-house security testing as part of vendor compliance programs and risk evaluation. Open-Xchange is in close contact with operators about results of such evaluations and incorporates them into product development and its security program. Those reports are proprietary and details cannot be shared.

Bug Bounty program

The OX App Suite Bug Bounty program is publicly available at https://yeswehack.com/programs/app-suite.

Researchers not only have access to the OX App Suite software packages and source-code, and we also provide a "sandbox" environment, which is available for researchers to use in any way they see fit in order to find vulnerabilities. This environment is automatically updated and reset to a known state.

Open-Xchange uses this program to complement existing professional penetration tests, which are used to review a specific set of functionality, while the bug-bounty program is rather widespread and points of attention cannot be controlled in detail. In case we identify clusters of vulnerabilities through our Bug Bounty program, we also consider those as a focus point for additional evaluation.

Vulnerability Disclosure Program

In addition to Bug Bounty, OX operates a vulnerability disclosure program (https://vdp.open-xchange.com/), which covers all its assets and is available from the main website.