As described in the Zimbra Responsible Disclosure Policy, it is critical that the Reporter please use the following techniques to report the vulnerability responsibly and securely via encrypted mechanisms. In order to fix and communicate the vulnerability safely to the greatest number of commercial and open-source sites, Zimbra seeks to build a partnership with its Researchers to identify, verify, patch and release software in such a way as to allow sites to be protected against a vulnerability prior to the release of public information on the vulnerability. In turn, when the Zimbra Responsible Disclosure Policy is followed by the Reporter, Zimbra will acknowledge the Reporter of the found vulnerability on the Zimbra Security Center.
The following methods are acceptable methods of reporting issues securely via encrypted mechanisms:
Email can be used for reporting vulnerabilities, but the following steps must be followed:
Our recommended approach for email is to encrypt the details using Zimbra Security's public PGP/GPG key:
The following details should be included in the encrypted email contents:
Vulnerabilities can also be added directly by Reporter to the Zimbra public Bugzilla system. If reporting via Bugzilla, please be sure that the bug is set to "Make bug visible only to reporter and Zimbra" :
For Supported Customers/Partners, open a Support Case with Zimbra Support at https://support.zimbra.com or by sending email to support [at] zimbra [dot] com.
Reporter may report the issue directly to a responsible Coordinator, such as CERT https://forms.cert.org/VulReport/. However, Zimbra would prefer that the vulnerability is initially reported directly to Zimbra and provide us the first opportunity to verify and, if necessary, fix the vulnerability directly in a working partnership with the Reporter.