Banner object (1)

Hack and Take the Cash !

815 bounties in database
  Back Link to program      
OX App Suite logo
Hall of Fame


100 $ 

OX App Suite

Introduction to OX App Suite an program rules

OX App Suite is a communication, collaboration and office productivity platform which allows individuals and organisations to perform digital day-to- day work through a unified service. Our mission is to provide best in class privacy for users and operational security for providers. We believe in open standards, data ownership and self-determination of users.

Since our APIs and source code are both publicly documented and exposed we rely on strong authentication, crypto implementations and do not support the concept of security by obscurity. At the same time we're delivering the software in a way that it comes with secure defaults. For this program we offer both access to a hosted sandbox and invite you to install OX App Suite on your premises for research, contribution and usage.

No technology is perfect, and Open-Xchange believes that working with skilled security researchers across the globe is crucial in identifying weaknesses and build trust in technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.


Our corporate website and related services are not in scope for this program, please report them to the contact provided at our website instead.

This Program solely targets software vulnerabilities within OX App Suite, the sandbox environment and client software provided by Open-Xchange through app stores. Your report must be conclusive and relate to currently supported versions and unmodified runtime environments. Vulnerabilities need to be of practical relevancy and documented in a way that they can be reproduced. Send screen-shots, code, video; whatever helps to understand the flaw.

How to research

Sandbox installation

We're offering a hosted sandbox environment for you to execute research using shared accounts. Please note that other researchers may access and use your data on a shared account. Researchers with a proven track record of valuable reports are eligible to get private accounts on request. The environment will reset each Sunday at 06:00 UTC, so please make sure to keep backups of you research.

Mail delivery on this environment is inbound and local-only, which means you can not send mail to external addresses. However, you can send E-Mail to the accounts, between the accounts as well as using IMAP and SMTP to connect to the mailbox using the same host and credentials as used for web access.

URL: __
User: user.{one..five}@sandbox-{1..5}
Password: secret

Hint: {1..5} means all numbers from 1 to 5, for example,

The @ is a user and "context" (tenant) delimiter, where the first part represents the user account and the second part defines the context. All users within the same context can "see" each other within the application but are separated from other contexts. As an example, "" and "" are two fully separated user accounts, while "" and "" can work together within the same context and are supposed to access shared data.

Using UA identifier tokens of popular CalDAV/CardDAV clients (e.g. "Lightning" or "DataAccess") will internally redirect requests at __to our DAV servlet rather than providing access to the web interface. For research, you can use __directly. Using __grants access to WebDAV based file access to"Drive".

The following OX App Suite packages are installed at the sandbox environment: __

Any other environments of OX App Suite providers or Open-Xchange itself are strictly out of scope and attack attempts will lead to permanent exclusion from this program.


The following client apps are in scope for this program:

On-premise installation

Since we're open-source, you can use on-premise installations of our software free of charge and have a look at its source-code. We expect that you're using up to date versions of our software and related services, hardened configurations as well as a set of strong credentials.

Learn more from overviews and guides at __and find an installation script at __. Technical documentation is provided at __.


Source-code can be cloned via Git and is provided through two systems:

The "master" branches for frontend, backend, guard, office-web and office repos represent whats available as packages and as a sandbox

The following products and components are in scope for this program:

  • OX App Suite
  • OX Documents
  • OX Document Converter
  • OX Image Converter
  • OX API Facade
  • OX USM and Exchange Active Sync
  • OX Guard

Mind that each component has various integration points, APIs and sub- components that are in scope. Please refer to our documentation to learn more.

Non-Qualifying Vulnerabilities

  • Issues located within third party components for example MySQL, Apache or Java or Libraries
  • Social Engineering of Open-Xchange employees and contractors
  • Physical attacks against infrastructure, employees and offices of Open-Xchange
  • Upload, sending or inject malware to Open-Xchange and contractors
  • Research that results in spam, harassment or any kind of unauthorized communication
  • Using data acquired by compromising customer or employee accounts
  • Denial of service attacks that use high bandwidth or excessive requests
  • Vulnerabilities which have been made possible by purposely weakening the default configuration while using authorized privileged access
  • "Jailbroken" devices may be used to ease research, flaws that require a device to be jailbroken are not in scope however.
  • Vulnerabilities which are purely hypothetical or already publicly known or variations of such, including vulnerabilities that are made possible by exploiting another reported vulnerability.
  • Vulnerabilities which have already been reported to us (including reports received outside of Hackerone, for example from customers or pentests). Those are considered as "Duplicate" in case they describe a similar attack type, regardless of which component is affected.
  • Vulnerabilities that are present at multiple endpoints but the fix is being made at a central component that affects all endpoints. We reward based on vulnerability, not per endpoint.

Eligibility and Disclosure

  • You must agree and comply to the Program rules
  • You must be the first person to responsibly disclose an unknown issue
  • You must not publicly disclose the vulnerability prior to our public disclosure

Our security team will review each committed finding and establish communication as soon as possible to reproduce and solve the reported vulnerability. Please allow 3 working days for our initial response. We ask you to make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.


Besides our respect and attribution of your work, Open-Xchange may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards include:

  • Open-Xchange-branded Swag: T-Shirts, Polo Shirts, Hoodies
  • Minimum reward of $100 for vulnerabilities we consider to be serious, up to a maximum of $5000 for the most severe vulnerabilities

Due to logistical issues and subsequent overhead and disappointment on both sides, we're not sending Swag packages to locations with notorious weak infrastructure. In this case we're awarding a amount below the minimum reward to compensate.

We will respond to your reports as soon as possible, bounty however will be assigned once a week after reviewing and rating the reports in terms of impact and risk.

Open-Xchange will determine in its discretion whether a reward is being granted as well as its amount. In particular we may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. When doing our estimation we're using CVSS and map the score against our payout-grades. This means certain aspects are of importance when considering the reward for a specific issue, for example:

  • Does it affect all users or would a practical attack require significant effort to compromise a wider range of users?
  • What level of authentication at the attacker and victim side is required to make the attack work?
  • Are social-engineering vectors (e.g. phishing) required to execute the vulnerability?
  • Is the attack vector remotely exploitable and are multiple steps required to execute it?
  • Does the attack require interaction of the victim to be effective?
  • Does the attack rely on weaknesses in third party components on the victims side?

Based on this evaluation of impact and severity it could be that issues which is similar on a technical side gets different ratings and subsequently payout. We're not having a fixed amount of reward for a specific kind of issue. Note that the scale between minimum and maximum payout is not linear. We reserve the right to change these program rules at any time without prior announcement.

Thank you for helping keep Open-Xchange and its users safe! And by the way, we're hiring __...

In Scope

Scope Type Scope Name







Out of Scope

Scope Type Scope Name


This program leverage 6 scopes, in 3 scopes categories.

FireBounty © 2015-2019

Legal notices