Open-Xchange is a leading provider of communication, security and productivity platforms. We are committed to a borderless Internet that is open, safe and free allowing users to protect their own data and privacy. To achieve this goal, we build open-source software, which is the sole scope of this bounty program:

• Dovecot - A IMAP, POP3 and Submission server for email.

• App Suite - Web-based access email, calendaring, cloud storage and office document editing.

• PowerDNS - A DNS server that enables domain resolution and network security features.

Since our APIs and source code are both publicly documented and exposed, we rely on strong authentication, crypto implementations and do not support the concept of security by obscurity. At the same time, we're delivering our software in a way that it comes with secure defaults. For this program we offer access to a hosted sandbox and also invite you to install our software on your premises for research, contribution and usage.

No technology is perfect, and Open-Xchange believes that working with skilled security researchers across the globe is crucial in identifying weaknesses and build trust in technology. If you believe you've found a security issue in our software, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Exclusions

• Denial of service against our infrastructure

• Spamming, harassment or any other kind of unauthorized communication

• Legacy and unsupported versions

• Social engineering, including phishing

• Any physical attempts against our employees, property or datacenters

• Purposely weakening the default configuration of our components

• Vulnerabilities of third-part components, websites or DNS configuration

• Editing our public wiki on GitHub.

• Upload, sending or inject malware to Open-Xchange and contractors

• Using data acquired by compromising customer or employee accounts

• Vulnerabilities which have been made possible by purposely weakening the default configuration while using authorized privileged access

• "Jailbroken" devices may be used to ease research, flaws that require a device to be jailbroken are not in scope, however.

• Vulnerabilities which are purely hypothetical or already publicly known or variations of such, including * vulnerabilities that are made possible by exploiting another reported vulnerability.

• Vulnerabilities which have already been reported to us (including reports received outside of HackerOne, for example from customers or penetration tests). Those are considered as "Duplicate" in case they describe a similar attack type, regardless of which component is affected.

• Vulnerabilities that are present at multiple endpoints, but the fix is being made at a central component that affects all endpoints. We reward based on vulnerability, not per endpoint.

Disclosure

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope

The following products are in scope of this program, please refer to their individual description to learn about documentation and research guidance. Rules, exclusions, reward and disclosure policies of this program apply to any of the products listed here.

• {F691140}

• {F691141}

• {F691142}