Horde Responsible Disclosure Policy

At Horde AS, we prioritize the security of our users and their data. We understand that security researchers and our user community play a vital role in helping us maintain this standard. We value and appreciate security researchers acting in good faith and contacting us with findings that can help us protect and secure our organization and assets. This policy outlines our guidelines for responsible disclosure:

Ground rules

We ask that anyone who conducts security research in relation to our services abide by the following guidelines:

• Play by the rules: Adhere to this disclosure policy and respect all relevant laws during the course of your research.
• Respect privacy: Do not violate the privacy of others, including sharing, mishandling, or not properly securing data.
• No unauthorized access: Under no circumstances should you attempt to gain access to another user’s account or data.
• Prompt reporting: Notify us immediately once you discover a potential vulnerability, following the instructions laid out in this policy.
• Restricted disclosure: Do not disclose any vulnerabilities or associated details elsewhere than approved Horde communication channels
• Allow time for resolution: Provide our security team with a reasonable amount of time to rectify the issue before making any public disclosure.

Scope

The policy covers all Horde AS services and products. Please consider potential attack scenarios, exploitability and security impact when evaluating the reportability of your findings.

The following categories of issues or vulnerabilities are considered Out of Scope

• Social engineering and physical security exploits.
• Findings from automated tools without providing a Proof of Concept.
• Host header injection without providing a practical Proof of Concept .
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities requiring MITM, or physical access to a user’s browser, email account, or device.
• Missing best practices in Content Security Policies.
• Missing best practices in SSL/TLS configuration.
• Volumetric/Denial of Service vulnerabilities.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Self-XSS.
• Well-known vulnerable software or libraries without a relevant Proof of Concept.
• Clickjacking on content with no sensitive impact.
• UI and UX bugs and spelling mistakes.
• Missing rate limiting on non-critical endpoints.

Reporting process

If you have discovered a potential security vulnerability, please report it to our security team. Provide as much information as possible regarding the vulnerability, including how it may be exploited. Upon reporting a vulnerability, we kindly request that you:

• Refrain from actions that could increase the risk to user privacy or system integrity.
• Avoid disclosing the issue to other parties.
• Do not discuss the vulnerability with others until it has been addressed by our security team.

When you file a report

• Horde AS will acknowledge reception of your report within 48 hours of submission, and communicate next steps within 3 working days.
• Collaborate with you to understand and validate your findings.
• Recognize your contribution, if you are the first to discover a vulnerability.

Legal safe harbor

Horde AS promises not to pursue legal action against security researchers who adhere to this policy. Your research must be carried out in a responsible and ethical manner, and you must follow this disclosure policy. If at any time you have concerns about whether your security research complies with this policy, please reach out to us HERE before proceeding.

This policy is intended to encourage the discovery and responsible reporting of potential vulnerabilities, aiding us in our mission to maintain the highest standards of security for our users. Your help in this endeavor is greatly appreciated.

Rewards

Horde AS does not maintain a paid bug bounty-program. However, as a sign of our gratitude, we may offer tokens of appreciation to individuals who report potential vulnerabilities once they meet certain thresholds. All researchers that submits a previously unknown vulnerability or significant security contribution will receive a shout-out in our public document/site of acknowledgement.

Feedback & how to contact us

If you have any other related feedback, or want to add suggestions to this policy, please contact us here. We are continually working to update and improving this policy, and greatly appreciate any input.

Official communication channels are also maintained here:

security.txt
For PGP encryption keys, see: PGP public key
Du kan se våre brukervilkår terms of use, and our privacy guidelines

Annerkjennelser

Acknowledgements

🇳🇴 Norsk