Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

This document is a work in progress.


We highly appreciate our customers, security researchers and our community users for reporting security vulnerabilities to us for making our products and services more secure, and thereby helping to protect the whole community of users. However, to make such a disclosure useful there are several things that need to be taken into account. This document highlights how to disclose a vulnerability responsibly, and as well what should contain in a vulnerability report. 

Responsible Disclosure of Vulnerabilities

There are several ways a security vulnerability can be informed to us.

  • If you are a security researcher or a community user, then you must only use the mailing list [email protected].
  • If you are a customer of us, in addition to the above mailing list, you can open a ticket in the support portal as well.

[email protected] is a highly confidential maling list visible only to a selected group within WSO2. 

What Constitutes a Proper Vulnerability Report

Please use the following template in reporting vulnerabilities:

  • Vulnerable WSO2 products(s) and version(s)
  • Overview: High-level overview of the issue and
  • self-assessed severity
  • Description: Include the steps to reproduce
  • Impact: Self-assessed impact
  • Solution: Any proposed solution

  • No labels