Details

Reporting an issue

Please share privately the details of your security vulnerability by emailing our Security Team (see contact email at the top right). Make sure to include as much information as possible, including the detailed steps to reproduce the problem, the versions that are affected, the expected results and actual results, and any other information that might help us react faster and more efficiently. We tend to prefer text-based bug descriptions accompanied with a proof-of-concept script/exploit, rather than long videos.

You may send this report from an anonymous email account, although we promise not to disclose your identity if you do not want us to. You can also encrypt and verify messages to/from our security team with our GPG Key with ID 0x0B9EA35A8E877D2F.

Important note

We receive a majority of security reports with little to no impact on the security of Odoo or Odoo Online, and we have to reject them. To avoid a disappointing experience when contacting us, please try to put together a proof-of-concept attack and take a critical look at what's really at risk. If the proposed attack scenario turns out unrealistic, your report will probably be rejected. Also be sure to read the DO REPORT and DO NOT REPORT sections below.

What to report?

DO REPORT

SQL injection vectors in public API methods
XSS vulnerabilities working in supported browsers
Broken authentication or session management, allowing unauthorized access
Broken sandboxing of customizations, allowing arbitrary code execution or access to system resources

DO NOT REPORT

Open redirectors without XSS (= just another vector for phishing)
Self-XSS attacks requiring the user to actively copy/paste malicious code
Attacks relying on physical or social engineering techniques
XSS working only in unsupported/deprecated browsers, or relaxed security settings
File path disclosures (no significant risk, does not enable new attacks)
Clickjacking or phishing attacks using social engineering tricks
Tabnapping or other phishing attacks conducted by navigating other browser tabs
Open redirectors (really, no thanks! ;-))
Reflected File Downloads - requires social engineering and not very practical
Referer leak (including sensitive tokens) via social media links
Scripting/brute-forcing (e.g. password authentication)
Password policies (length, format, character classes, etc.)
Disclosure of public information or information not sensitive
Spam-fighting policies such as DKIM, SPF or DMARC
HTTP Strict Transport Security (HSTS) headers, HSTS preloading, and HSTS policies
Issues in default configuration of Odoo access control
Pseudo-XSS vulnerabilities done by editing the website on your Odoo Online free trial (XSS requires cross-site scripting)
Attack scenarios that rely on a takeover of user email accounts (obviously!)
Did we mention? No open redirect issues, please! ;-)

If you have any doubt, ask us first!

Incident Response Procedure

You privately share the details of the security vulnerability with our Security Team by reporting an issue (see above)
We acknowledge your submission and verify the vulnerability as soon as possible (typically within 24-48h)
We work on a correction in collaboration with you
We write a detailed Security Advisory describing the issue, its impacts, possible workarounds and solution, and we ask you to review it
We privately broadcast the Security Advisory and the correction to stakeholders and customers with an Odoo Enterprise Contract
We give stakeholders and customers a reasonable delay to apply the correction, before disclosing it publicly (e.g. 2-3 weeks)
We disclose and broadcast the Security Advisory and the correction on our public channels

Rules

We ask you to observe the following rules at all times:

Exclusively test vulnerabilities on your own deployments, on demo.odoo.com, or on your own trial instances of Odoo Online
Never attempt to access or modify data that does not belong to you
Never attempt to execute denial of service attacks, or to compromise the reliability and integrity of services that do not belong to you
Do not use scanners or automated tools to find vulnerabilities, as their effects will violate the previous rules
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system
Do not publicly disclose vulnerabilities without our prior consent (see also the Disclosure Procedure above). During the non-disclosure period you are authorized to use/test any correction we've provided, as long as no emphasis is put on that correction and it is not published in the form of a security report (i.e. using it on production servers is fine).

In return:

We will not initiate legal action against you if you followed the rules
We will process your report and respond as quickly as possible
We will keep you updated of the progress and disclosure steps (see also the Disclosure Procedure above)
We will work diligently with stakeholders and customers in order to help them restore the safety of their system
We will not publically disclose your identity if you do not want to be credited for your discovery

Reward

If you report a new security issue that is confirmed to be critical (see the DO REPORT section), we will publicly thank you by adding your name to the Odoo Security Hall of Fame.

Reporting an issue

Important note

DO NOT REPORT

Open redirectors without XSS (= just another vector for phishing)

Self-XSS attacks requiring the user to actively copy/paste malicious code

Attacks relying on physical or social engineering techniques

XSS working only in unsupported/deprecated browsers, or relaxed security settings

File path disclosures (no significant risk, does not enable new attacks)

Clickjacking or phishing attacks using social engineering tricks

Tabnapping or other phishing attacks conducted by navigating other browser tabs

Open redirectors (really, no thanks! ;-))

Reflected File Downloads - requires social engineering and not very practical

Referer leak (including sensitive tokens) via social media links

Scripting/brute-forcing (e.g. password authentication)

Password policies (length, format, character classes, etc.)

Disclosure of public information or information not sensitive

Spam-fighting policies such as DKIM, SPF or DMARC

HTTP Strict Transport Security (HSTS) headers, HSTS preloading, and HSTS policies

Issues in default configuration of Odoo access control

Pseudo-XSS vulnerabilities done by editing the website on your Odoo Online free trial (XSS requires cross-site scripting)

Attack scenarios that rely on a takeover of user email accounts (obviously!)

Did we mention? No open redirect issues, please! ;-)

If you have any doubt, ask us first!

Incident Response Procedure

You privately share the details of the security vulnerability with our Security Team by reporting an issue (see above)

We acknowledge your submission and verify the vulnerability as soon as possible (typically within 24-48h)

We work on a correction in collaboration with you

We write a detailed Security Advisory describing the issue, its impacts, possible workarounds and solution, and we ask you to review it

We privately broadcast the Security Advisory and the correction to stakeholders and customers with an Odoo Enterprise Contract

We give stakeholders and customers a reasonable delay to apply the correction, before disclosing it publicly (e.g. 2-3 weeks)

We disclose and broadcast the Security Advisory and the correction on our public channels

Rules

We ask you to observe the following rules at all times:

Exclusively test vulnerabilities on your own deployments, on demo.odoo.com, or on your own trial instances of Odoo Online

Never attempt to access or modify data that does not belong to you

Never attempt to execute denial of service attacks, or to compromise the reliability and integrity of services that do not belong to you

Do not use scanners or automated tools to find vulnerabilities, as their effects will violate the previous rules

Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system

Do not publicly disclose vulnerabilities without our prior consent (see also the Disclosure Procedure above). During the non-disclosure period you are authorized to use/test any correction we've provided, as long as no emphasis is put on that correction and it is not published in the form of a security report (i.e. using it on production servers is fine).

In return:

We will not initiate legal action against you if you followed the rules

We will process your report and respond as quickly as possible

We will keep you updated of the progress and disclosure steps (see also the Disclosure Procedure above)

We will work diligently with stakeholders and customers in order to help them restore the safety of their system

We will not publically disclose your identity if you do not want to be credited for your discovery