Company

Open-Xchange is a leading provider of communication, security and productivity platforms. We are committed to a borderless Internet that is open, safe and free, allowing users to protect their own data and privacy. To achieve this goal, we build open-source software, which is the sole scope of this bounty program. Dovecot is our IMAP, POP3 and Submission server for email, which is part of many operating systems and gets used by millions of operators.

Since our interfaces and source code are both publicly documented and exposed, we rely on strong authentication, crypto implementations and do not support the concept of security by obscurity. At the same time, we're delivering our software in a way that it comes with secure defaults. For this program you need to install our software on your premises for research.

We also run bug-bounty programs for our other products:

• PowerDNS
• OX App Suite

Program Rules

• We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
• If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
• Any type of denial of service attacks is strictly forbidden, as well as any interference with our infrastructure.
• You can set up a lab environment for your own research based on public software packages, containers and source-code. However, we will not accept reports which are specific to your lab's configuration and cannot be reproduced on our deployments.

Moreover you must avoid :

• Tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
• Editing our public wiki on GitHub.
• Uploading, sending or injecting malware to Open-Xchange and contractors
• Using data acquired by compromising customer or employee accounts

Vulnerabilities which have already been reported to us (including reports received outside YesWeHack, for example from customers or penetration tests) are considered as "Duplicate" in case they describe a similar attack type, regardless of which component is affected.

The triage team will use the "One Fix One Reward" process: if two or more endpoints use the same code base and a single fix can be deployed to fix all the others weaknesses, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. We reward based on vulnerability, not per endpoint.

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program scope and identified outside of our program scope, such as:

• Exposed credentials in/from an out-of-scope asset/source
• Sensitive information exposed in/from an out-of-scope asset/source
• Credentials provided on purpose, for example access to a Sandbox installation

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees.

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources
• Exposed credentials that are not applicable on the program scope
• Exposed GitHub/GitLab (or similar) instance with no direct relation with our program scope
• Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program scope
• Exposed PII on an out-of-scope asset

Important precautions and limitations

As a complement to the program rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data
• DO NOT use compromised accounts to search for post-auth vulnerabilities (they will not be eligible anyway)
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
• In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of Dovecot, however, only those that meet the following eligibility requirements may receive a monetary reward.

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability (see below)
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots as necessary. PoC exploit code is highly appreciated.
• You must not be a former or current employee of Open-Xchange or one of its contractor.
• Reports about vulnerabilities are examined by our security analysts.
• Our analysis is always based on worst-case exploitation of the vulnerability, as is the reward we pay.
• When reviewing source-code, the "main" or "master" branches represent the current versions that are available as packages and on the sandbox environments. Only reports for those branches will be eligible for bounty, if there is a master and main branch, the main branch takes precedence.
• For packages the last two released minor versions are eligible for bounty.

We are interested in security issues in the following products:

• Dovecot IMAP Server
• Pigeonhole SIEVE

Software packages

You can use on-premise installations of our software free of charge and have a look at its inner workings. We expect that you're using up-to-date versions of our software and related services, hardened configurations as well as a set of strong credentials.

You can download pre-compiled software-packages from our repository:

• https://repo.dovecot.org/

Learn more from overviews and guides at ​https://oxpedia.org/ and technical documentation is provided at https://doc.dovecot.org/. You can find an installation guide at https://doc.dovecot.org/installation_guide/. Note that documentation for main branch is kept at https://doc.dovecot.org/3.0/

Source-code

Source-code can be obtained as source tarballs:

• https://www.dovecot.org/releases/

We also maintain code repository mirrors on GitHub:

• https://github.com/dovecot/core
• https://github.com/dovecot/pigeonhole

The "main" branch represents the latest stable release.

Mind that each component has various integration points, APIs and subcomponents that are in scope. Please refer to our documentation to learn more.

Rating and Responsible Disclosure

We use CWE, CVE, CVSS to rate and categorize vulnerabilities. Any vulnerability will be publicly disclosed after sufficient time has passed for operators to deploy updates. Advisories use CSAF and will be published on our update sites, mailing-lists and external mailing-lists like oss-security. Please understand that we handle the full disclosure process and expect that you do not disclose any findings yourself, we will include researcher credits if requested.