The safety of Odoo systems is very important to us (not only because we use Odoo internally), and we consider security problems with the highest priority. We do our best every day to protect Odoo users from known security threats, and we welcome all reports of security vulnerabilities discovered by our users and contributors.
We are committed to handle vulnerability reports with the greatest attention, provided that the following rules are respected.
Please share privately the details of your security vulnerability by emailing our Security Team at __. Make sure to include as much information as possible, including the detailed steps to reproduce the problem, the versions that are affected, the expected results and actual results, and any other information that might help us react faster and more efficiently. We tend to prefer text-based bug descriptions accompanied with a proof-of-concept script/exploit , rather than long videos.
__Our GPG Key
Important note: we receive a majority of security reports that have little to no impact on the security of Odoo or Odoo Online, and we ultimately have to reject them. To avoid a disappointing experience when contacting us, please try to put together a proof-of-concept attack and take a critical look at what's really at risk. If the proposed attack scenario turns out unrealistic , your report will probably be rejected. Also be sure to review our list of non-qualifying issues below.
You may send this report from an anonymous email account, although we promise not to disclose your identity if you do not want us to.
You can also encrypt and verify messages to/from our security team with the GPG key linked above.
We ask you to observe the following rules at all times:
Self-XSS attacks requiring the user to actively copy/paste malicious code into their own browser window
Pseudo-XSS vulnerabilities on your own Odoo Online instance. If you registered bar.odoo.com , you are the webmaster.
Missing or partial verification of email addresses
Disclosure of public information or information that does not carry significant risks (directory listing on our downloads archive is a required feature! ;-))
Absence of HTTP Strict Transport Security (HSTS) headers, HSTS preloading, and HSTS policies
Weak ciphers or SSL deployments details (our benchmark is an A grade on SSLLab's test)
Issues in default configuration of access control rules (e.g. ACLs and record rules) - please open regular bug reports instead
If you have any doubt, please ask us first!
If you report a new security issue that is confirmed to be critical (see the DO REPORT section), we will publicly thank you by adding your name to the Odoo Security Hall of Fame, on the right of this page.
We are extremely grateful to the following security researchers who have worked with us to further improve the security of Odoo and the Odoo Cloud platforms!
Nils Hamerlinck __
(Trobz)| 2018, 2017, 2016
Colin Newell | 2017, 2016, 2015
(IBS Group) | 2018, 2017, 2015
| 2018, 2017, 2016, 2015
Swapnesh Shah | 2018, 2019
Ondřej Kuzník | 2017, 2016, 2015
Florent Mirieu de Labarre | 2018, 2019
Yenthe Van Ginneken | 2019, 2018
Agustín Ezequiel Maio | 2019
Emre Övünç | 2019
Erwin van der Ploeg (Odoo Experts)| 2018
Benoît Chenal (Excellium-services – Application Security)| 2018
Adan Álvarez (A2secure)| 2018
Bharath Kumar (Appsecco)| 2018
Subash SN (Appsecco)| 2018
Stéphane Bidoul (ACSONE)| 2018
Mehmet Tuncer| 2018
Hugo Rodrigues| 2018
Tecnativa S.L.| 2018
(Logic Supply)| 2017
Juba Baghdad| 2017
Prakash Dhatti| 2017
Romain E Silva (Sysdream)| 2017
Adel Nettar (Sysdream)| 2017
Azizul Hakim| 2017
"Ayrx" via SSD | 2017
(WT-IO-IT GmbH)| 2017
Corben Leo| 2017
Cameron Dawe| 2016
Xavier Alt| 2016
Vibhuti Ranjan Vidyarshy Nath| 2016
Leonardo Pistone (Camptocamp France)| 2015
Mohamed Khaled Fathy| 2015
Dipak Kumar Das| 2015
Paul Catinean| 2015
Muhammed Gamal Fahmy | 2015
Openinside Co. | 2015
ONESTEiN / Glasswall | 2015
Sven Schleier, KPMG Management Consulting, SG | 2015
Ondřej Kuzník & Craig Gowing, credativ Ltd | 2015
Daniel Lawson | 2014
Vo Minh Thu| 2013
Bastian Ike| 2013
The Security Team would also like to thank the following individuals for their contributions to improve the security of Odoo users (in alphabetical order):
Aaron Devaney,Abhishek Venkat, Ahsan Khan, Caleb Kinney, Cédric Krier, Christophe Hanon, Deepali Malekar, Huzaifa Jawaid, Ivan Yelizariev, Leonardo "LeartS" Donelli, Ismail Tasdelen, Mohammed Israil, Riccardo Ancarani, Sameer Phad, Sébastien Versailles, "St00rm N00b", Suyog Palav, Tarun Manhor- Abhaychandra Chede, Ye Yint Min Thu Htut, Ziaur Rashid
This program crawled on the 2015-09-08 is sorted as bounty.