Community mailing list archives

Re: Crowd funding the Odoo Penetration Test

Credativ, Ondrej Kuznik
- 06/26/2015 08:53:32
Hi Nuria, community,

as someone who has reported several critical security issues in the
platform and just completed the first stage of a comprehensive audit of
the core Odoo codebase (and helping Odoo address any concerns raised
during this), I think I should chip in:

Yes, it is true that Odoo has not invested nearly enough time into
making its platform as secure as it should have done while marketing the
notion that the opposite is true. However, now that they are aware that
problems exist, things now seem to be changing and there is an
initiative to make amends and encourage best practices. That includes
having the source code audited.

Regarding the rest of the email, we too share the goal to increase
security and raise Odoo's profile and thus are in favor of a penetration
test to be done to gauge the state of the publicly accessible features
of the site, especially the CMS which is very young and constitutes
venturing into an unexplored territory for Odoo.

For anything else (particularly the modules you mention), a
comprehensive audit of the actual modules+core would be more appropriate
and are either already covered by the audit I have just completed or
planned for its future stages.

As a team of people who have deep understanding of Odoo and me
personally having spent the past five years evangelising good security
awareness and making various software and systems more secure, we
believe that we are in a better position to find issues that an
uninitiated auditor could miss.

Regardless of whether an external auditor will be taken on to the task,
we will carry on with the next phases of the audit we have already started.

If there is enough interest in the community to expedite this, we can
make sure this gets more resources committed to it and help make the
results available sooner.

Ondrej Kuznik

credativ Ltd
Suite 5, Bloxam Court
Corporation Street           UK office:  +44 1788 298150
Rugby                        Email:
CV21 2DU                     Web:
credativ Ltd is registered in England & Wales, company no. 5261743
Certified by CompTIA / AccredIT UK with the ICT Supply standard of
quality for Software Product Design and Development