We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

We require that all researchers:

• Respect the rules. Operate within the rules set forth by the OTOBO Security Team, or speak up if in strong disagreement with the rules.
• Respect privacy. Make a good faith effort not to access or destroy another user's data. Avoid degradation of user experience, disruption to production systems, and destruction of data.
• Be patient. Make a good faith effort to clarify and support on arising questions. Keep information about any vulnerabilities you’ve discovered confidential between yourself and OTOBO Team until we resolved the issue with a public OTOBO Security Announcement (typically within 90 days)
• Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
• Use the communication channel below to report vulnerability information to us. Do not use personal emails, social media accounts, or other private connections to contact a member of a security team in regards to vulnerabilities or any program related issues, unless you have been instructed to do so.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research;
• Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 1 week of submission);
• Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

• OTOBO and Features created by the OTOBO Team
• Managed OTOBO and created by the OTOBO Team

Any services hosted by 3rd party providers and services are excluded from scope. These services include OTOBO instances hosted by external parties and forks of OTOBO.

The following versions of OTOBO are currently being supported with security updates. Older versions are not supported and have known vulnerabilities.

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@otobo.org. Please include the following details with your report:

• Description of the location and potential impact of the vulnerability;
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
• Your name/pseudonym for recognition in our Hall of Fame. If you prefer to remain anonymous, we encourage them to submit under a pseudonym.