This document is a work in progress.
We highly appreciate our customers, security researchers and our community users for reporting security vulnerabilities to us for making our products and services more secure, and thereby helping to protect the whole community of users. However, to make such a disclosure useful there are several things that need to be taken into account. This document highlights how to disclose a vulnerability responsibly, and as well what should contain in a vulnerability report.
Prequisites for reporting Vulnerabilities
Before planning to report a vulnerability to us, there are several items that you need to make sure are in place.
Apply security guidelines for Production Deployements
Install all the security patches
Responsible Disclosure of Vulnerabilities
Based on the ethics of responsible disclosure, we recommend only the following ways to report security vulnerabilities to us.
[email protected] is a highly confidential internal mailing list visible only to a selected group within WSO2. This includes Platform Security Team members and Security Champions of product teams, and people holding leadership roles within WSO2. All the vulnerability reports are treated with the highest priority and confidentiality. If you wish to send secure messages to [email protected], you may use the following key:
Apart from the mediums mentioned above, please do not use any other medium to report security vulnerabilities of WSO2. This includes, but not limited to, public forums, blogs and other websites, social media, public and private chat groups. Also, kindly restrain from mentioning the vulnerability to other individuals as well. The vulnerability could be publicized only after we complete our Vulnerability Management Process. We will work closely with the reporter, and will keep him/her updated with our progress. Please refer [Vulnerability Management Process] for more information on what we do once a vulnerability is reported to us.
What Constitutes a Proper Vulnerability Report
Please use the following template in reporting vulnerabilities:
- Vulnerable WSO2 products(s) and version(s)
- Overview: High-level overview of the issue and
- self-assessed severity
- Description: Include the steps to reproduce
- Impact: Self-assessed impact
- Solution: Any proposed solution