||
Skip to end of metadata
Go to start of metadata

Version: 1.2 | Date: 31st July 2019

We have been recognizing the efforts of the security research community for helping us make WSO2 products safer. To honor all such external contributions, we maintain a reward and acknowledgement program for WSO2 owned software products.

Products & Services in Scope

At this time, the scope of this program is limited to security vulnerabilities found on the software products developed by WSO2.

This includes the following:

Out of the above listed products, only the latest released version of each product is included for the scope of this program. In addition to that, the release date of the product version should be within 3 years from the date of report.

Any live deployment of a WSO2 product would not be included for the scope of this program.

Qualifying Vulnerabilities

Any security issue that affects the confidentiality or integrity of user data would be included for the scope of the program. Following are few common issues that we typically consider for rewarding.

  • SQL Injection

  • Cross-site Scripting (XSS)

  • Authentication or authorization flaws

  • Server-side code execution bugs

  • XML Attacks

  • Missing Function Level Access Control

  • Insecure Direct Object References

Non-qualifying Vulnerabilities

We review reported security issues case-by-case. Following are common issues that we typically do not consider for rewarding.

  • Logout Cross-site Request Forgery (CSRF)

  • Missing CSRF token in login forms

  • Cross domain referer leakage

  • Missing HttpOnly and Secure cookie flags

  • SSL/TLS related issues

  • Missing X-Frame-Options or X-Content-Type-Options HTTP headers

  • Account enumeration

  • Brute-force Attacks

  • Content Spoofing

Note: However, we would still consider the issues from the above categories for rewarding based on the impact and the severity.

Rewards and Acknowledgement

WSO2 provides rewards to eligible reporters of qualifying vulnerabilities. After the reported issues are fixed, we will acknowledge the reporter via the Security Researcher Acknowledgements web page and a certificate of appreciation will be emailed. Provided that the reporter shares shipping details, WSO2 will arrange a shipment to the reporter that would contain a pack of swag items and the hard copy of the certificate of appreciation. At the moment this program does not include any monetary incentives. The decision as to whether or not to offer a reward or give credits has to be entirely at our discretion.

Exceptions & Rules

You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The WSO2 Platform Security Team has 7 days to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Posting details or conversations about the report that violates responsible disclosure or posting details that reflect negatively on the program and the WSO2 brand, will disqualify from consideration for rewards and credits. All security testing must be carried out in a standalone WSO2 product running locally or a hosted deployment owned by the reporter. All communications must be conducted through security@wso2.com email only.

Investigating and Reporting Bugs

If you have found a vulnerability, please contact us at security@wso2.com. If necessary, you can use this PGP key.

A good bug report should include the following information at a minimum:

  • Vulnerable WSO2 product(s) and their version(s)

  • List of URL(s) and affected parameter(s)

  • Describe the browser, OS, and/or app version

  • Describe the self-assessed impact

  • Describe the steps to exploit the vulnerability

  • Any proposed solution


We thank you for helping us keep WSO2 products and services safe !



  • No labels