Version: 1.2 | Date: 31st July 2019
We have been recognizing the efforts of the security research community for helping us make WSO2 products safer. To honor all such external contributions, we maintain a reward and acknowledgement program for WSO2 owned software products.
Products & Services in Scope
At this time, the scope of this program is limited to security vulnerabilities found on the software products developed by WSO2.
This includes the following:
Out of the above listed products, only the latest released version of each product is included for the scope of this program. In addition to that, the release date of the product version should be within 3 years from the date of report.
Any live deployment of a WSO2 product would not be included for the scope of this program.
Any security issue that affects the confidentiality or integrity of user data would be included for the scope of the program. Following are few common issues that we typically consider for rewarding.
Cross-site Scripting (XSS)
Authentication or authorization flaws
Server-side code execution bugs
Missing Function Level Access Control
Insecure Direct Object References
We review reported security issues case-by-case. Following are common issues that we typically do not consider for rewarding.
Logout Cross-site Request Forgery (CSRF)
Missing CSRF token in login forms
Cross domain referer leakage
Missing HttpOnly and Secure cookie flags
SSL/TLS related issues
Missing X-Frame-Options or X-Content-Type-Options HTTP headers
Note: However, we would still consider the issues from the above categories for rewarding based on the impact and the severity.
Rewards and Acknowledgement
WSO2 provides rewards to eligible reporters of qualifying vulnerabilities. After the reported issues are fixed, we will acknowledge the reporter via the Security Researcher Acknowledgements web page and a certificate of appreciation will be emailed. Provided that the reporter shares shipping details, WSO2 will arrange a shipment to the reporter that would contain a pack of swag items and the hard copy of the certificate of appreciation. At the moment this program does not include any monetary incentives. The decision as to whether or not to offer a reward or give credits has to be entirely at our discretion.
Exceptions & Rules
You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The WSO2 Platform Security Team has 7 days to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Posting details or conversations about the report that violates responsible disclosure or posting details that reflect negatively on the program and the WSO2 brand, will disqualify from consideration for rewards and credits. All security testing must be carried out in a standalone WSO2 product running locally or a hosted deployment owned by the reporter. All communications must be conducted through firstname.lastname@example.org email only.
Investigating and Reporting Bugs
A good bug report should include the following information at a minimum:
Vulnerable WSO2 product(s) and their version(s)
List of URL(s) and affected parameter(s)
Describe the browser, OS, and/or app version
Describe the self-assessed impact
Describe the steps to exploit the vulnerability
Any proposed solution
We thank you for helping us keep WSO2 products and services safe !