Like all software, Horde sometimes has bugs that impact security. This page is an attempt to lay out procedures for handling them as gracefully as possible.
We ask that researchers and others who discover security problems report them to email@example.com. As an all volunteer project there are no absolute guarantees, but the Horde Project will attempt to respond to all valid reports within 24 hours with an acknowledgment and requests for any additional needed information.
When reporting issues, please include the version number of Horde and all applications so that we can test the correct version from the start.
The time required to release a fix will vary depending on the complexity of the issue. We will stay in communication with vendors throughout the development and testing process for fixes, and we ask reporters to stay in communication with the Horde Project (through the firstname.lastname@example.org alias). Any help from reporters with testing fixes is doubly appreciated.
Information provided by reporters is a courtesy to the Horde Project and will be kept confidential in order to do coordinated releases of both the disclosure and new fixed versions.
In order to achieve a coordinated release with packagers that bundle Horde for distribution, a restricted mailing list is available: http://lists.horde.org/mailman/listinfo/vendor. Membership in this list is moderated and the archives are private in order to maintain confidentiality.
Finally, we will coordinate new releases with the reporter and the vendor mailing list. Releases will clearly state that they contain security fixes.