Odoo Security Advisory
Responsible disclosure policy for Odoo security vulnerabilities.
Website: https://www.odoo.com/de_DE/security-report
The policy describes how security researcher can submit their findings and tells what the incident response procedure looks like.
Valid vulnerabilities receive a CVE (Common Vulnerabilities and Exposures) ID.
Public Channels
CVEs are published on GitHub as issues: https://github.com/odoo/odoo/issues?q=is%3Aissue+label%3ASecurity.
Notifications
Odoo notifies Odoo Enterprise customers with an on-premise installation of Odoo.
Here are CVEs addressed by mail from Odoo: