Zabbix Security Policy
Zabbix is following a strict process when developing new versions of the software according to Zabbix life cycle and release policy. All tasks are subject to strict standards imposed by Zabbix:
- All Zabbix developers are adhering to project coding guidelines
- All code is reviewed by a senior developer before being merged into Zabbix code base
- All tasks are tested by Quality Assurance engineers
- When a major Zabbix version is released it is going through internal security audit by Zabbix Security team.
Zabbix is ISO/IEC 27001:2013 certified. This certificate assures that Zabbix protects all its information within the highest internationally acknowledged security standards. This certificate is issued for four Zabbix offices: Zabbix LLC (USA), Zabbix SIA (Latvia), Zabbix Japan LLC (Japan) and Zabbix Servicos de Software LTDA (LATAM Brazil). Though the development process is designed to eliminate any possibility of security issues, it is still possible that new vulnerabilities might be discovered. Zabbix treats security issues in maintained versions as high priority. Please note that Zabbix does not fix security issues in versions that are no longer supported. In case this is required - this is custom development charged by hourly rate.
In Zabbix we use the term "responsible disclosure", which means we have a policy on how we are disclosing all security issues that come to our attention, but only after the issues has been resolved and all customers with support contracts are given time to upgrade or patch their installations.
We kindly ask that when you are reporting a security issue, you follow the same guidelines and share the details only with the Zabbix Security team.
Before reporting the issue:
Make sure that the issue you are submitting is not related to server configuration, 3rd party scripts and utilities. In order to avoid any possible issues with server configuration we advise Zabbix users to read Best practices for secure Zabbix setup.
Create a new issue in the Zabbix Security Reports (ZBXSEC) section of the public bug tracker describing the problem (and a proposed solution if possible) in detail. This way we can ensure that only Zabbix security team and the reporter have access to the case.
The following information will be helpful for Zabbix Security team:
- Date and time when you identified the security defect.
- Affected Zabbix version range.
- Type of security issue you are reporting, e.g.: XSS, CSRF, SQLi, RCE.
- Affected components, e.g.: Frontend, Server, Agent, API.
- Any details you can provide, e.g. screenshots, screen recordings, http(s) transaction logs, POC exploits (please do not share any evidence via unauthenticated file sharing services and avoid sharing sensitive information, as if Zabbix Security team decides that this issue does not fit Security defect description it might be moved to ZBX project and the issue will be visible to all users).
- Step by step instructions to reproduce the issue as the problem might not be easily identifiable.
How Zabbix deals with reported security issues:
- Zabbix Security team reviews the issue and evaluates its potential impact.
- If the security issue is found not to be related to security then the issue will be moved to ZBX project.
- Zabbix security team works on the issue to provide a solution and keeps all details on the problem until the next version of Zabbix is out.
- New packages are created and made available for download on https://zabbix.com/download
- Zabbix requests CVE identifiers for the security issue.
- Clients with valid support agreements are emailed giving a period of time when it is possible to upgrade before the issue becomes known to the public.
- A public announcement for the community is made.
Public Zabbix bug bounty program on HackerOne
Zabbix has partnered with HackerOne to open a public bug bounty program, where ethical hackers can look for potential security vulnerabilities and get rewarded for found and validated issues. Zabbix public bug bounty program enables hackers to contribute to the security of the product by discovering potential security vulnerabilities in different Zabbix components, such as Zabbix frontend, server, proxy, agent, API and other Zabbix processes. The program offers up to $3,000 as a reward for discovering and reporting a bug. More information can be found in the Zabbix bug bounty page: https://hackerone.com/zabbix