We are truly grateful for our customers, security researchers, and community users for responsibly reporting security vulnerabilities to us. Your effort helps us make our products and services more secure, and thereby helps protect the entire WSO2 user community.
When reporting security vulnerabilities, you need to adhere to a few guidelines. This document highlights the points that need to be considered before reporting a vulnerability, the process of disclosing a vulnerability, and the content that needs to be included in a vulnerability report.
Some of the vulnerabilities that you come across in the products that were downloaded from wso2.com might have already been fixed. For more information on the security patches issued by WSO2, see Security Patch Releases.
Prerequisites for reporting Vulnerabilities
Please make sure to go through the prerequisites before you run an automated security scan or perform a penetration test.
- Security aspects of the product are hardened
Make sure to follow the guidelines provided under Security Guidelines for Production Deployment. These guidelines might mitigate the security concerns you are experiencing.
- Ensure that you have installed all the Security patches.
Responsible Disclosure of Vulnerabilities
Based on the ethics of responsible disclosure, it is recommended to follow the process given below to report security vulnerabilities.
- If you are a security researcher or a community user, you must only use the [email protected] mailing list.
- If you are a customer of WSO2, you can either use the [email protected] mailing list or open a ticket in the Support Portal.
[email protected] is a highly confidential internal mailing list that is only visible to a selected group within WSO2. This includes the Platform Security Team members, Security Champions of product teams, and people who hold leadership roles within WSO2. All the vulnerability reports are treated with the highest priority and confidentiality.
If you wish to send secure messages to [email protected], you may use the following key:
Apart from the channels mentioned above, please do not use any other medium to report security vulnerabilities of WSO2. This includes, but is not limited to, public forums, blogs and other websites, social media, and public and private chat groups.
Further, kindly refrain from sharing the vulnerability details you come across with other individuals. The vulnerability can only be publicized after we complete our Security Vulnerability Management Process. We will work closely with the reporter and will keep him/her updated on our progress.
What Constitutes a Proper Vulnerability Report
Please use the following template when reporting vulnerabilities so that it contains all the required information and helps expedite the analysis and mitigation process.
- Vulnerable WSO2 products(s) and version(s)
- A high-level overview of the issue
- Steps to reproduce. Feel free to send us a screen cast.
- Self-assessed severity and impact.
- Any proposed solution