Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version: 1.6 | Date: 6th Dec 2021

We are truly grateful for our customers, security researchers, and community users for reporting responsibly reporting security vulnerabilities to us. Your effort helps efforts help us make our products and services (e.g. WSO2 API Manager), services (e.g. WSO2 API Cloud), and open source projects (e.g. Siddhi) more secure, and thereby helps protect the entire WSO2 user community.


Some of the vulnerabilities that you come across in the products that were downloaded from might have already been fixed. For more information on the security patches issued advisories issued publicly by WSO2, see see Security Patch ReleasesAdvisories page.

Table of Contents

Prerequisites for reporting Vulnerabilities


Please For WSO2 products, please make sure to go through the prerequisites before you run an automated security scan or perform a penetration test against them.

  • Security aspects of the product are hardened
    Make sure to follow the guidelines provided under Security Guidelines for Production DeploymentThese guidelines might mitigate the security concerns you are experiencing.
  • Ensure If you are a WSO2 subscription holder, ensure that you have installed all the Security patchesupdates.
  • If you are a security researcher, we encourage you to download the latest product version available before testing.

Responsible Disclosure of Vulnerabilities

Based on the ethics of responsible disclosure, it is recommended to follow the process given below to report security vulnerabilities.

  • If you are a an independent security researcher or a community user, you must only use the [email protected] mailing list.the mailing lists mentioned in Table 1.
  • If you are a customer of WSO2, you can either use the [email protected]  mailing list mailing lists mentioned in Table 1 or open a ticket in the Support Portal.

ScopeEmail addressGPG key
Security issues relevant to Choreo[email protected]

E244 7A59 F1E0 9369 5CBA  3195 FF67 8AD2 84F9 6B9A

Security issues relevant to Asgardeo[email protected]

7EFB 2075 2A3D 65D0 0C15  33F1 79FD 52B8 1D17 AE48

Security issues relevant to Ballerina[email protected].


                                                                                         Table 1: Email addresses for security issue reporting


Above Security mailing lists are highly confidential internal mailing lists that are only visible to a selected group within WSO2. This includes the Platform the Security and Compliance Team members, Security Champions of product, service, and open source project teams, and people who hold leadership roles within WSO2. All the vulnerability reports are treated with the highest priority and confidentiality.

If you wish to send secure messages to [email protected]security mailing lists, you may use the following key:

[email protected]: F0AB 72EC D77A 6162 4C48 A245 0CF3 FD36 E100 FF07

GPG keys mentioned in Table 1.

titlePlease note!

Apart from the channels mentioned above, please do not use any other medium to report security vulnerabilities of WSO2. This includes, but is not limited to, repositories like GitHub, public forums, blogs and other websites, social media, and public and private chat groups.

Further, kindly refrain from sharing the vulnerability details you come across with other individuals. The vulnerability can only be publicized after we complete our Security Vulnerability Management Processthe mitigation actions. We will work closely with the reporter and will keep him/her updated on our progress.

What Constitutes a Proper Vulnerability Report

Please use the following template when reporting vulnerabilities so that it contains all the required information and helps expedite the analysis and mitigation process.

  • Vulnerable WSO2 products(s) and version(s)Name of the vulnerable WSO2 product, project, or service and its version (if applicable).
  • A high-level overview of the issue.
  • Steps to reproduce. Feel free to send us a screen cast
  • Self-assessed severity and impact.
  • Any proposed solution.

Vulnerability Handling Process

An overview of the vulnerability handling process:

  • The user reports the vulnerability privately to a security mailing list or through the Support Portal. The initial response time is less than 24 hours.
  • The relevant team at WSO2 fixes the vulnerability and QA verifies the solution.
  • The fix is distributed:
    • If the issue is of a product, distribute the patches to the subscription customers first. Then disclose it publicly after 4 weeks.
    • If the issue is of a service, apply the fix to the deployment.
    • If the issue is of an open source project, apply the fix to the master branch, and release a new version of the distribution if required.
  • The reporter is kept updated on the progress of the process.