We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Email: security@linagora.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
| Stage | Timeline |
|---|---|
| Initial response | Within 48 hours |
| Vulnerability assessment | Within 7 days |
| Fix development | Depends on severity |
| Public disclosure | After fix is released |
- We will acknowledge your report within 48 hours
- We will keep you informed of our progress
- We will credit you in the security advisory (unless you prefer anonymity)
- We will not take legal action against researchers who follow responsible disclosure
| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
Only the latest minor version receives security updates. We recommend always running the latest release.
- Security issues are fixed in private and released as part of a new version
- Security advisories are published after the fix is available
- Critical vulnerabilities may receive expedited patches
For detailed information about the security architecture and implementation:
- Security Architecture - Transport security, authentication, encryption
- Enrollment Security - Server enrollment security analysis
- SSH Connection Security - SSH authentication and authorization
- Offboarding Procedures - Revocation and deprovisioning
- Future Improvements - Planned security enhancements
When deploying Open Bastion:
- Use TLS 1.3 - Set
min_tls_version = 13in configuration - Enable audit logging - Set
audit_enabled = truefor security monitoring - Enable rate limiting - Enabled by default, protects against brute-force
- Restrict file permissions - Configuration files should be
0600owned by root - Use certificate pinning - For high-security environments, pin the LLNG server certificate
- Never enable debug logging in production - Debug logs may contain sensitive information