Version: 12.9 0 | Date: 23rd Nov 2020Sep 2021
WSO2 conducts security reviews and tests throughout the entire software development lifecycle (SDLC) to make sure our products and services are secure against all known vulnerabilities. However, even with the most stringent tests, some vulnerabilities can go unnoticed. That is why WSO2 treats security vulnerability disclosures with the highest priority. We have an efficient process to evaluate such disclosures urgently and take steps to mitigate risks.
Internal security tests and scans:
We conduct security scanning using multiple industry standard products and tools on on WSO2 infrastructure, services, and released WSO2 product versions as well as versions under development.
The [email protected] mailing list security mailing lists:
Any user who comes across security issues in WSO2 products and services is highly encouraged to report those issues via this channelchannels. For further information please check "WSO2 Security Vulnerability Reporting Guidelines".
Customer Support Portal:
Users with a paid WSO2 subscription can report security issues via this channel.
- External security related mailing lists, vendor security notifications and vulnerability databases.
Before reporting a vulnerability to WSO2, make sure you follow the recommendations given in WSO2 Security Vulnerability Reporting Guidelines.
Please note that we highly discourage sending automated scan reports via [email protected]security mailing lists. The WSO2 Platform Security team does not put effort to evaluate such scan reports due to the high percentage of false positives that are inherent in automated security scanning. Therefore, please report positive vulnerabilities with steps to reproduce as explained in WSO2 Security Vulnerability Reporting Guidelines.