Version: 2.2 | Date: 6th Dec 2021
We have been recognizing the efforts of the security research community for helping us make WSO2 products safer. To honor all such external contributions, we maintain a reward and acknowledgement program for WSO2 owned software products. This document describes the various aspects of this program:
Products & Services in Scope
At this time, the scope of this program is limited to security vulnerabilities found on Choreo, Asgardeo and the software products developed by WSO2.
This includes the following:
- Ballerina (limited to the scope mentioned in https://ballerina.io/security-policy/)
- Choreo
- Asgardeo
Out of the above listed products, only the latest released version of each product is included for the scope of this program. In addition to that, the product versions should be marked as 'Available' or 'Deprecated' in the WSO2 Support Matrix.
Any other live deployment of a WSO2 product, or a website (e.g. wso2.com) would not be included in the scope of this program.
Qualifying Vulnerabilities
Any security issue that has a moderate or higher security impact on the confidentiality, integrity, or availability of Choreo, Asgardeo, or a WSO2 product would be included for the scope of the program.
Following are a few common issues that we typically consider for rewarding.
- SQL or LDAP Injection
- Cross-site Scripting (XSS)
- Broken authentication and authorization
- Broken session management
- Remote code execution
- OS command execution
- XML External Entity (XXE) or XML Entity Expansion
- Path traversal
- Insecure Direct Object References
- Confidential information leakages (E.g. credentials, PII)
Kindly note that the impact calculation is solely at the discretion of WSO2.
Non-qualifying Vulnerabilities
We review reported security issues case-by-case. Following are common issues that we typically do not consider for rewarding.
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) vulnerabilities.
- Logout Cross-site Request Forgery (CSRF)
- Missing CSRF token in login forms
- Cross domain referer leakage
- Missing HttpOnly flags
- SSL/TLS related issues
- Missing HTTP security headers
- Account enumeration
- Brute-force Attacks
- Non-critical Information Leakages (E.g. Server information, stacktraces)
However, we would still consider the issues from the above categories for rewarding based on the security impact.
Rewards and Acknowledgement
To show our appreciation, we provide a reward and an acknowledgement to eligible reporters after the reported issues are fixed and announced to the WSO2 customers and the community users.
We will do the following upon reporter's consent:
- Include the reporter's name in the security researcher Acknowledgements web page.
- Email a certificate of appreciation to the reporter.
- Provide one of the following prefered by the reporter:
- Amazon gift voucher worth 50 USD (from: Amazon.com / Amazon.ca / Amazon.cn / Amazon.fr / Amazon.de / Amazon.in / Amazon.it / Amazon.co.jp / Amazon.co.uk / Amazon.es / Amazon.com.au)
- PayPal transfer worth 50 USD.
Exceptions & Rules
Following exceptions and rules apply in this program:
- You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue.
- WSO2 has 7 days to provide the first response to the report. It could take up to 90 days to implement a fix based on the severity of the report, and further time might be needed to announce the fix to our customers and community users of all the affected product versions. WSO2 will keep the reporter up to date with the progress of the process.
- Posting details or conversations about the report that violates responsible disclosure, or posting details that reflect negatively on the program and the WSO2 brand, will disqualify from consideration for rewards and credits.
- All security testing must be carried out in a standalone WSO2 product running locally or a hosted deployment owned by the reporter.
- All communications must be conducted through security mailing lists only.
Offering a reward or giving credits has to be entirely at WSO2’s discretion.