avatar
Bug bounty
Public

Dovecot

Building a borderless Internet that is open, safe and free.

Reward

Bounty
Hall of fame
€100
Low
€100
Medium
€500
High
€2,000
Critical
€5,000

Program

Avg reward
€550
Max reward
€1,000
Scope
1

Supported languages
English

Hacktivity

Reports
23
1st response
< 1 day
Reports last 24h
-
Reports last week
-
Reports this month
-

Company

Open-Xchange is a leading provider of communication, security and productivity platforms. We are committed to a borderless Internet that is open, safe and free, allowing users to protect their own data and privacy. To achieve this goal, we build open-source software, which is the sole scope of this bounty program. Dovecot is our IMAP, POP3 and Submission server for email, which is part of many operating systems and gets used by millions of operators.

Since our interfaces and source code are both publicly documented and exposed, we rely on strong authentication, crypto implementations and do not support the concept of security by obscurity. At the same time, we're delivering our software in a way that it comes with secure defaults. For this program you need to install our software on your premises for research.

We also run bug-bounty programs for our other products:

Program Rules

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
  • If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
  • Any type of denial of service attacks is strictly forbidden, as well as any interference with our infrastructure.
  • You can set up a lab environment for your own research based on public software packages, containers and source-code. However, we will not accept reports which are specific to your lab's configuration and cannot be reproduced on our deployments.

Moreover you must avoid :

  • Tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • Editing our public wiki on GitHub.
  • Uploading, sending or injecting malware to Open-Xchange and contractors
  • Using data acquired by compromising customer or employee accounts

Vulnerabilities which have already been reported to us (including reports received outside YesWeHack, for example from customers or penetration tests) are considered as "Duplicate" in case they describe a similar attack type, regardless of which component is affected.

The triage team will use the "One Fix One Reward" process: if two or more endpoints use the same code base and a single fix can be deployed to fix all the others weaknesses, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. We reward based on vulnerability, not per endpoint.

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program scope and identified outside of our program scope, such as:

  • Exposed credentials in/from an out-of-scope asset/source
  • Sensitive information exposed in/from an out-of-scope asset/source
  • Credentials provided on purpose, for example access to a Sandbox installation

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees.

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program scope
  • Exposed PII on an out-of-scope asset
Source of leak is in-scope Source of leak belongs to Open-Xchange but is out-of-scope Source of leak does not belong to Open-Xchange and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not Eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not Eligible Not Eligible

Important precautions and limitations

As a complement to the program rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they will not be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of Dovecot, however, only those that meet the following eligibility requirements may receive a monetary reward.

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below)
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots as necessary. PoC exploit code is highly appreciated.
  • You must not be a former or current employee of Open-Xchange or one of its contractor.
  • Reports about vulnerabilities are examined by our security analysts.
  • Our analysis is always based on worst-case exploitation of the vulnerability, as is the reward we pay.
  • When reviewing source-code, the "main" or "master" branches represent the current versions that are available as packages and on the sandbox environments. Only reports for those branches will be eligible for bounty, if there is a master and main branch, the main branch takes precedence.
  • For packages the last two released minor versions are eligible for bounty.

We are interested in security issues in the following products:

  • Dovecot IMAP Server
  • Pigeonhole SIEVE

Software packages

You can use on-premise installations of our software free of charge and have a look at its inner workings. We expect that you're using up-to-date versions of our software and related services, hardened configurations as well as a set of strong credentials.

You can download pre-compiled software-packages from our repository:

Learn more from overviews and guides at ​https://oxpedia.org/ and technical documentation is provided at https://doc.dovecot.org/. You can find an installation guide at https://doc.dovecot.org/installation_guide/. Note that documentation for main branch is kept at https://doc.dovecot.org/3.0/

Source-code

Source-code can be obtained as source tarballs:

We also maintain code repository mirrors on GitHub:

The "main" branch represents the latest stable release.

Mind that each component has various integration points, APIs and subcomponents that are in scope. Please refer to our documentation to learn more.

Rating and Responsible Disclosure

We use CWE, CVE, CVSS to rate and categorize vulnerabilities. Any vulnerability will be publicly disclosed after sufficient time has passed for operators to deploy updates. Advisories use CSAF and will be published on our update sites, mailing-lists and external mailing-lists like oss-security. Please understand that we handle the full disclosure process and expect that you do not disclose any findings yourself, we will include researcher credits if requested.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Low
€100€500€2,000€5,000

Scopes

ScopeTypeAsset value
Dovecot IMAP Server and Pigeonhole SIEVE (see "Software packages" and "Source code") other
Low
Low
€100
Medium
€500
High
€2,000
Critical
€5,000

Out of scopes

  • All content which is not listed as "Scopes", especially any production system operated by customers
  • "Scopes" in this program refer to the binary packages and source-code provided there, the systems providing those artefacts are out of scope
  • Everything that is not directly related to the application or source-code in scope (e.g. GitHub, domain settings)

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution (RCE)
  • Buffer overflows, underflows
  • Crashes that hint security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Code injections (HTML, JS, SQL, ...)
  • Broken authentication & session management
  • Insecure direct object references
  • CORS with real security impact
  • Horizontal and vertical privilege escalation
  • Cross-Site Scripting (XSS)
  • Cross-Site Requests Forgery (CSRF) with real security impact
  • Open redirect
  • Clickjacking/UI redressing
  • Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes

Non-qualifying vulnerabilities

  • Software version disclosure
  • Stack traces or path disclosure
  • Physical or social engineering attempts
  • Recently disclosed 0-day vulnerabilities
  • Vulnerabilities affecting outdated platforms
  • Reports for outdated versions of our software (more than two minor versions old)
  • Findings that do not have considerable impact on availability, confidentiality and integrity
  • Reports from automated vulnerability scanners (Acunetix, Vega, Burp, Nessus, etc.) that have not been validated
  • Denial of service attacks
  • Spamming, harassment or any other kind of unauthorized communication
  • Legacy and unsupported versions
  • Any physical attempts against our employees, property or datacenters
  • Purposely weakening the default configuration of our components, vulnerabilities which have been made possible by purposely weakening the default configuration while using authorized privileged access
  • Vulnerabilities of third-part components, websites or DNS configuration
  • Vulnerabilities which are purely hypothetical or already publicly known or variations of such, including vulnerabilities that are made possible by exploiting another reported vulnerability
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Exposed secrets, credentials or information on an asset under our control that are not applicable to the program scope

Hunting requirements

Account access

No accounts required, please deploy the software and start hunting!

User agent

Please append to your user-agent header the following value: ' -ywh-bugbounty-dovecot '.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.