We believe in transparency to mitigate security risks. All known vulnerabilities are available on our security page.
We disclose such security issues only once a released version addressing the issue is available.
We use automated tools to review our docker images and dependencies.
To ensure safety of our users, security process needs to happen privately.
Here are the steps:
-
- Reporter email the issues privately to
openpaas-james[AT]linagora.com
.
- Reporter email the issues privately to
-
- We will then evaluate the validity of your report, and write back to you within two weeks. This response time accounts for vacation and will generally be quicker.
-
- We will propose a fix that we will review with you. This can take up to two weeks.
-
- We will propose a draft for the announcement that we will review with you.
-
- We will propose you a schedule for the release and the announcements.
-
- One week after the release we will disclose the vulnerability.
You will be credited in the vulnerability report for your findings.