Version: 2.0 1 | Date: 5th February 14th Sep 2021
We have been recognizing the efforts of the security research community for helping us make WSO2 products safer. To honor all such external contributions, we maintain a reward and acknowledgement program for WSO2 owned software products. This document describes the various aspects of this program:
At this time, the scope of this program is limited to security vulnerabilities found on Choreo and the software products developed by WSO2.
Out of the above listed products, only the latest released version of each product is included for the scope of this program. In addition to that, the release date of the product version should be within 3 years from the date of report.
Any Other than Choreo, any other live deployment of a WSO2 product, or a website (e.g. wso2.com) or any other hosting owned by WSO2, would not be included in the scope of this program.
Any security issue that has a moderate or higher security impact on the confidentiality, integrity, or availability of Choreo or a WSO2 product would be included for the scope of the program.
Following are a few common issues that we typically consider for rewarding.
We review reported security issues case-by-case. Following are common issues that we typically do not consider for rewarding.
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) vulnerabilities.
- Logout Cross-site Request Forgery (CSRF)
- Missing CSRF token in login forms
- Cross domain referer leakage
- Missing HttpOnly and Secure cookie flags
- SSL/TLS related issues
- Missing HTTP security headers
- Account enumeration
- Brute-force Attacks
- Non-critical Information Leakages (E.g. Server information, stacktraces)
- You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue.
- WSO2 has 7 days to provide the first response to the report. It could take up to 90 days to implement a fix based on the severity of the report, and further time might be needed to announce the fix to our customers and community users of all the affected product versions. WSO2 will keep the reporter up to date with the progress of the process.
- Posting details or conversations about the report that violates responsible disclosure, or posting details that reflect negatively on the program and the WSO2 brand, will disqualify from consideration for rewards and credits.
- All security testing must be carried out in a standalone WSO2 product running locally or a hosted deployment owned by the reporter.
- All communications must be conducted through [email protected] email security mailing lists only.
Offering a reward or giving credits has to be entirely at WSO2’s discretion.
A good bug report should include the following information at a minimum: