Skip to Content
Menu

Responsible Disclosure Policy

For Odoo Security Vulnerabilities

The safety of Odoo systems is very important to us (not only because we use Odoo internally), and we consider security problems with the highest priority. We do our best every day to protect Odoo users from known security threats, and we welcome all reports of security vulnerabilities discovered by our users and contributors.

We are committed to handle vulnerability reports with the greatest attention, provided that the following rules are respected.

Reporting an issue

Please share privately the details of your security vulnerability by emailing our Security Team at   Security at odoo top-level-domain. Make sure to include as much information as possible, including the detailed steps to reproduce the problem, the versions that are affected, the expected results and actual results, and any other information that might help us react faster and more efficiently. We tend to prefer text-based bug descriptions accompanied with a proof-of-concept script/exploit, rather than long videos.
Our GPG Key
4096R/8E877D2F
Fingerprint: 9083 DE46 54A7 8DE3 CFAD D880 0B9E A35A 8E87 7D2F
Download: keys.openpgp.org
Download: (mirror)

Reporting vulnerabilities via third-party websites is not acceptable, as it breaches the terms of our policy. If you are looking for a third-party reward, we may forward the list of CVE IDs assigned to you, so they can verify your rewards - but the issues have to be reported to us directly.

Please note: we receive a majority of security reports that have little to no impact on the security of Odoo or Odoo Online, and we ultimately have to reject them. To avoid a disappointing experience when contacting us, please try to put together a proof-of-concept attack and take a critical look at what's really at risk. If the proposed attack scenario turns out unrealistic, your report will probably be rejected. Also be sure to review our list of non-qualifying issues below.

You may send this report from an anonymous email account, although we promise not to disclose your identity if you do not want us to.

You can also encrypt and verify messages to/from our security team with the GPG key linked above.

Incident Response Procedure

  1. You privately share the details of the security vulnerability with our Security Team by reporting an issue (see above)
  2. We acknowledge your submission and verify the vulnerability. Our first answer generally comes under 48h.
  3. If the vulnerability is valid and in scope, we request a CVE ID and give it to you as soon as it is assigned.
  4. We work on a correction in collaboration with you.
  5. We write a detailed Security Advisory describing the issue, its impacts, possible workarounds and solution, and we ask you to review it
  6. We privately broadcast the Security Advisory and the correction to stakeholders and customers with an Odoo Enterprise Contract
  7. We give stakeholders and customers a reasonable delay to apply the correction, before disclosing it publicly (e.g. 2-3 weeks)
  8. We disclose and broadcast the Security Advisory and the correction on our public channels.

Rules

We ask you to observe the following rules at all times:

  • Exclusively test vulnerabilities on your own deployments, on demo.odoo.com, or on your own databases on Odoo Cloud (SaaS/SH)
  • Never attempt to access or modify data that does not belong to you
  • Never attempt to execute denial of service attacks, or to compromise the reliability and integrity of services that do not belong to you
  • Do not use scanners or automated tools to find vulnerabilities, as their effects could violate the previous rules (unless you can guarantee that they will be throttled to less than 5 requests/second, ideally 1 r/s, and will not break any other rules)
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system without our prior consent
  • Do not publicly disclose vulnerabilities without our prior consent (see also the Disclosure Procedure above). During the non-disclosure period you are authorized to use/test any correction we've provided, as long as no emphasis is put on that correction and it is not published in the form of a security report (i.e. using it on production servers is fine).

In return:

  • We will not initiate legal action against you if you followed the rules
  • We will process your report and respond as quickly as possible
  • We will provide a fix as soon as possible
  • We will work diligently with stakeholders and customers in order to help them restore the safety of their systems
  • We will not publicly disclose your identity if you do not want to be credited for your discovery


What to report?

Qualifying vulnerabilities - DO REPORT!

  • SQL injection vectors in public API methods
  • XSS vulnerabilities working in supported browsers
  • Broken authentication or session management, allowing unauthorized access
  • Broken sandboxing of customizations, allowing arbitrary code execution or access to system resources

NON Qualifying vulnerabilities - DO NOT REPORT!

  • XSS vulnerabilities working only in unsupported/deprecated browsers, or requiring relaxed security settings
  • Self-XSS attacks requiring the user to actively copy/paste malicious code into their own browser window
  • "XSS attacks" by admins, e.g. via file uploads (SVG, HTML, JS, ...) or script injection. Administrators are webmasters, security restrictions don't apply to them, this is a feature.
  • Rate-limiting / Brute-forcing / Scripting of components working as designed (e.g. password authentication, password reset, etc.)
  • User enumeration (ability to verify that a username exists). Does not carry much risk, and can't be prevented without deteriorating the user experience.
  • File path disclosures, which do not carry significant risk and do not enable attacks that would be otherwise impossible
  • Clickjacking or phishing attacks using social engineering tricks to abuse users, with the system working as intended
  • Tabnapping or other phishing attacks conducted by navigating other browser tabs
  • Logout CSRF (no plausible attack unless combined with Login CSRF + not preventable e.g. via cookie tossing or cookie jar overflow)
  • Open redirectors, which are simply one vector for phishing among many others ( see our detailed explanation)
  • Reflected File Downloads, another attack technique that requires social engineering and is not very practical
  • Referer leak (including sensitive tokens) via social media links or ads/analytics requests - very unlikely to be clicked, or to be exploited within validity period by those mainstream companies! 
  • More generally, attacks relying on physical or social engineering techniques will usually be rejected
  • Non-permanent Denial of Service (DoS) and distributed DoS (DDoS) that maintain resource exhaustion (cpu/network/memory/...) via a sustained stream of requests/packets
  • Password policies (length, format, character classes, etc.)
  • Missing or partial verification of email addresses, or ways to circumvent it
  • Disclosure of public information or information that does not carry significant risks (directory listing on our downloads archive is a required feature! ;-))
  • Spam-fighting policies and systems such as DKIM, SPF or DMARC
  • Absence of HTTP Strict Transport Security (HSTS) headers, HSTS preloading, and HSTS policies 
  • Weak ciphers or SSL deployments details. Our benchmark is an A grade on SSLLab's test yet a maximal compatibility with user browsers. We are currently phasing out TLS 1.0 on www.odoo.com, already done for our customer hosting services
  • SSRF attacks, unless they allow access to special protocol handlers (e.g. file://), or can be used in a working scenario to bypass access control on the Odoo Cloud Hosting (cfr deployment documentation)
  • Issues in default configuration of access control rules (e.g. ACLs and record rules) - please open regular bug reports instead
  • Attack scenarios that include a prior takeover of the user account or an email account of the user - please open regular bug reports instead

If you have any doubt, please ask us first!

Reward

If you report a new security issue that is confirmed to be critical (see the DO REPORT section), we will publicly thank you by adding your name to the Odoo Security Hall of Fame, on the right of this page.
 

Thank YOU!

We are extremely grateful to the following security researchers who have worked with us to further improve the security of Odoo and the Odoo Cloud platforms!

ResearcherYear
Nils Hamerlinck
(Trobz)
2021, 2020, 2019, 2018, 2017, 2016
Colin Newell  2017, 2016, 2015
IBS Group 2019, 2018, 2017, 2015
Naglis Jonaitis
2018, 2017, 2016, 2015
Swapnesh Shah 2019, 2018
Ondřej Kuzník 2017, 2016, 2015
lebr0nli (Alan Li) 2024
Elliot Ward 2024, 2023
Florent Mirieu de Labarre 2019, 2018
Alexandre Moens 2023, 2021
iamsushi 2021, 2019
Rafi Shapiro2023
Alexandre Díaz2021, 2020
Yenthe Van Ginneken2019, 2018
Bhavin Fadadu2023
Niyas Raphy2022
Rifat Al Jubayer2022
Andreas Perhab
(WT-IO-IT GmbH)
2021
Parth Gajjar2021
Theodoros Malachias2021
Ranjit Pahan2021
Iago Ruiz2021
Johannes Moritz (Cure53)2021
Moez Hemani2021
Loc Truong2020
Damien LESCOS2020
Santosh Kumar Sha2020
Kennedy Sanchez2020
Abhiram V2020
Christopher Riis Bubeck Eriksen2020
"Raspina Net Pars Group"2020
Alessandro Innocenti2020
Holger Brunn
(Hunki Enterprises BV)
2019
Agustín Ezequiel Maio2019
Emre Övünç2019
Lauri Vakkala (Silverskin)2019
P. Valov (SoCyber)2019
Nathanael ROTA (Capgemini)2019
Tomas Canzoniero2019
Subash SN (Appsecco)2019
Bharath Kumar (Appsecco)2019
Dipanshu Agrawal2019
Anıl Yüksel2019
Aitor Fuentes (kr0no)2019
Erwin van der Ploeg (Odoo Experts)2018
Benoît Chenal (Excellium-services – Application Security)2018
Adan Álvarez (A2secure)2018
Bharath Kumar (Appsecco)2018
Subash SN (Appsecco)2018
Stéphane Bidoul (ACSONE)2018
Mehmet Tuncer2018
Hugo Rodrigues2018
Moises Lopez2018
Carlos Daudén,
Tecnativa S.L.
2018
Andrew Grasso
(Logic Supply)
2017
Juba Baghdad2017
Prakash Dhatti2017
JubaBaghdad2017
Romain E Silva (Sysdream)2017
Adel Nettar (Sysdream)2017
Azizul Hakim2017
"Ayrx" via SSD2017
Wolfgang Taferner
(WT-IO-IT GmbH)
2017
Corben Leo2017
Cameron Dawe2016
Xavier Alt2016
Vibhuti Ranjan Vidyarshy Nath2016
Mohammad Alhashash
2016
Nagaraju Repala
2016
Leonardo Pistone (Camptocamp France)2015
Mohamed Khaled Fathy2015
Dipak Kumar Das2015
Paul Catinean2015
Muhammed Gamal Fahmy2015
Openinside Co.2015
ONESTEiN / Glasswall 2015
Sven Schleier, KPMG Management Consulting, SG2015
Ondřej Kuzník & Craig Gowing, credativ Ltd2015
Daniel Lawson2014
"diesenfranz"2014
Vo Minh Thu2013
Bastian Ike2013

- Special Thanks -
The Security Team would also like to thank the following individuals for their contributions to improve the security of Odoo users (in alphabetical order):
Aaron Devaney, Abhishek Venkat, Ahsan Khan, Ameya Darshan, Caleb Kinney, Cédric Krier, Christophe Hanon, Deepali Malekar, Fazal Ur Rahman, Flo van der Vlist, Huzaifa Jawaid, Ismail Tasdelen, Ivan Yelizariev, Jairo Llopis, Khan Janny, Leonardo "LeartS" Donelli, Mohammed Israil, Mohamed Karara, Niyas Raphy, Riccardo Ancarani, Saddam Maniyar, Sameer Phad, Sébastien Versailles, "St00rm N00b", Suyog Palav, Tarun Manhor- Abhaychandra Chede, Tayler Porter, Ye Yint Min Thu Htut, Ziaur Rashid