|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
Dovecot is an open source email server with an installed base of over 3 million servers all over the world and a global market share over 60% of all IMAP servers, Dovecot is the IMAP server of choice for ISPs, Telcos and Enterprises everywhere in the world.
Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects. Dovecot is an excellent choice for both small and large installations. It is fast, simple to set up, requires no special administration and it uses very little memory.
Please note that our websites and infrastructures are in no way part of this program, and are explicitly out of scope.
This Program solely targets software vulnerabilities within Dovecot components. The report must be reproducible on currently supported versions and operating systems. Vulnerabilities need to be documented in a way that they can be reproduced. Send screen-shots, code, video; whatever helps to understand the flaw.
Learn more and find installation guides at https://wiki2.dovecot.org/ __.
Since we're open-source, you can use a locally installed instance of Dovecot. Especially when using local installations, we expect that you're using up to date versions on supported operating systems, hardened configurations of those services as well as a set of strong credentials.
Check out your favourite Linux distribution for a pre-compiled version of Dovecot or use https://repo.dovecot.org/ __
You can get access to our source-code publicly at https://github.com/dovecot/core __and https://github.com/dovecot/pigeonhole __, but please do not report any potential security issue to the public bug tracker.
While researching we'd like to ask you to refrain from the following non- qualifying issues and techniques, they will not be considered for bounty:
Our security team will review each committed finding and establish communication as soon as possible to reproduce and solve the reported vulnerability. Please allow 3 working days for our initial response. We ask you to make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Besides our respect and attribution, Dovecot may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards include:
Dovecot will determine in its discretion whether a reward should be granted and the amount of the reward. In particular we may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a contest or competition.
Due to logistical issues and subsequent overhead and disappointment on both sides, we're not sending Swag packages to locations with notorious weak infrastructure. In this case we're awarding a amount below the minimum reward to compensate.
Dovecot will determine in its discretion whether a reward should be granted and the amount of the reward. In particular we may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. When doing our estimation we're using CVSS and map the score against our payout-grades.
This means certain aspects are of importance when considering the reward for a specific issue, for example:
Based on this evaluation of impact and severity it could be that issues which is similar on a technical side gets different ratings and subsequently payout. We're not having a fixed amount of reward for a specific kind of issue. Note that the scale between minimum and maximum payout is not linear. We reserve the right to change these program rules at any time without prior announcement.
Thank you for helping to keep Dovecot and its users safe! And by the way, we're hiring... __