We work hard on making Offen as secure as possible. Yet, this does not mean we might miss possible vulnerabilities in the software. If you found a vulnerability and want to report it, we would like to ask you to follow the steps described below.

Please do not open an issue when you found a security vulnerability in Offen. Instead, please send an email to hioffen@posteo.de. Please do not make your findings public until you hear back from us as described below.

Expect an answer to your initial disclosure in the next 96 hours. We will use this timeframe to do the following:

• verify the issue and assess its severity
• come up with possibilities for closing the vulnerability
• decide upon a fix (or a staged series of fixes) for the issue
• draft a timeframe for resolving the issue and releasing the fix

Once we have covered these items, we will get back to you and follow up on your intial report. In case you want to make your findings public at some point, we will also supply you with a desired timeline for this public disclosure.