A sneak peek into Open-Xchange’s public Bug Bounty programs

As a leading provider of open-source solutions for communication and collaboration, Open-Xchange is always looking for ways to improve the security of its products. In line with this strategy, it launched several public Bug Bounty programs on its major software product lines a few years ago, which it recently decided to shift to the YesWeHack platform, along with some other changes. This gave us the opportunity to speak with Martin Heiland, CISO at Open-Xchange, about the motivation behind those programs, how they will be managed and what researchers can expect.

I’m Martin Heiland, CISO at Open-Xchange. The OX Security Team is a cross-functional collective of engineers across our product range. As CISO, I’m formally in charge of the topic but, as with most things, this is based on teamwork. We try to directly involve the experts who can best respond to hunter reports and have the experience to propose or implement mitigations for security issues.

We are a remote-first company with employees from all over Europe that work on our public Bug Bounty programs (OX App Suite, Dovecot and PowerDNS). The Dovecot team is mainly located in Finland, while the OX App Suite team gravitates around Germany and the PowerDNS team is more oriented towards the Netherlands and France. Over the past years, we have also been hiring outside those regions, so the borders are blurring even more.

We are delivering software and services to customers in highly regulated markets (telecommunications, hosting, public sector) and use our products to build our SaaS offering, OX Cloud. We also have strong ties to the open-source community, which again uses our software to run critical infrastructure. The kind of services that use our software are usually multi-tenant, exposed to the internet, and often easy to get access to. They also serve millions of users and breaches can have severe impact on user data, so security has been a significant consideration in everything we do. We put that in our mission statement to help create a “borderless internet that is open, safe and free”.

Nowadays, everyone claims to take security seriously. I think we were already doing that a long time ago and have developed our organisation’s culture around it. Customers demand things like ISO27001 compliance, but we always try to be a step ahead of the game and act proactively. This is where Bug Bounty fits into our efforts to provide the best and most secure products. For us, it’s an extension to existing security controls like proper design and development processes, code reviews, fuzzing, pentests, and so on.

Bug Bounty complements all those efforts. It’s a way to dramatically increase the audience for security reviews and tap into a diverse crowd of experts that come up with very creative ways to break things. We are part of the open-source community and value cooperation a lot. Bug Bounty gives us a way to incentivize and compensate the effort while reducing our transaction cost. Nobody likes to work for free, and we understand that there is a competition for the best talent out there. We try to attract it by being professional and respectful, responding quickly and providing fair compensation.

To be frank, it did not change significantly. Our experience in the open-source community helped us to know what we were getting ourselves into. Of course, we were able to learn a lot and improve the way we communicate and give back to the community. We also learnt how to integrate reports into our development processes. Over time, we have worked with “regular” bug reporters that have become very skilled and probably know some of our code better than we do. This has been a real pleasure to witness, for instance, academic recognition of hunters for a vulnerability that we worked on together, especially if it led to improvement on both sides. If hunters agree, we recognise them in our public advisories, which has certainly helped hunters with building credibility and supporting their career.

It’s not really rocket science! We re-use the same processes and tools that we use for internal findings. Reports from the Bug Bounty program feed into our “Software Security Incident Process”, which produces advisories, security patch releases and so on. Each team has a number of experts that focus on security topics, and they are actively using the Bug Bounty program. They review, reproduce and report findings from Bug Bounty, then put them on the map for the broader development team. We don’t work on this 24/7 but, because our teams are located in many time zones, there is a good chance to get instant feedback.

We currently run three public Bug Bounty programs, which represent our major software product lines: OX App Suite, Dovecot and PowerDNS.

While each of them is vastly different from a technical perspective, we try to apply the same rewards and test conditions to them. In general, we’re trying to give guidelines and not restrict what hunters can do. We think the exclusions and out-of-scope items are common sense and have proven to be useful over time. We have an exponential rewards grid that is based on CVSS and favors vulnerabilities of medium and higher severity. The top payout is €5,000, which we have awarded twice so far.

OX App Suite is a modular collaborative web application providing access to communication and productivity features such as text processing, email, spreadsheets, calendaring and so on. It’s a mature product that has been around for at least 20 years and gets continuously modernized and improved. Since many hunters focus on web security, we have seen a lot of activity on this program in the past. We provide a sandbox installation specifically for hunters to perform their research, which helps with the learning curve. Nevertheless, be aware that there are lots of complex stuff below the surface!

Dovecot is an email infrastructure component that provides access to mailboxes via protocols like submission, IMAP and POP3. It’s a well-known part of the open-source community and the most popular solution for what it does. It has also been around for more than 20 years, and the community, as well as the development team, have been busy adding plenty of extensions to it. Often, it’s the foundation of what we do with OX App Suite. Dovecot is primarily written in C and hunters should have knowledge of system services, low-level protocols and native code when taking it on.

PowerDNS is a modular DNS server that contains implementations for authoritative server, recursor and dnsdist. It’s used by many internet service providers to resolve domain names at huge scale. It also has been around for about 20 years and has been ever improved to implement new DNS standards and protocols like DNS-over-TLS or DNS-over-HTTPS. Furthermore, it’s primarily written in C++ with some parts being Python and LUA. Similar to Dovecot, it’s rather an infrastructure component and hunters should have knowledge of system services and low-level protocols.

As all products are open-source, hunters can do white-box reviews and use the resources we and the community have published. Each product represents a vast ecosystem, so there is plenty of stuff to play with!

We’re open to pretty much any kind of report. Of course, we like creative ways to challenge our security controls. We love automation: if hunters provide automated tests, scripts or exploits for their findings, that’s definitely a bonus.

I can only recommend embracing transparency and have experts talk to experts when running a Bug Bounty program. Successful programs are a collaboration between hunters and organisations, not a nuisance.

Ready to hunt? Check out Open-Xchange’s public Bug Bounty programs here: OX App Suite, Dovecot, PowerDNS.

Interested in having more information about YesWeHack’s Bug Bounty solution? Schedule a demo with one of our crowdsourced security experts to find out more!

Book a demo

About YesWeHack

Founded in 2015, YesWeHack is a global Bug Bounty and VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 45,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.

YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.

In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.