Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 36 Next »

This document is a work in progress.


We highly appreciate our customers, security researchers and community users for reporting security vulnerabilities to us for making our products and services more secure, and thereby helping to protect the whole community of users. However, to make such a disclosure useful, there are several things that need to be taken into account. This document highlights what should be considered before reporting a vulnerability, how to disclose a vulnerability responsibly, and what should be contained in a vulnerability report. 

Prerequisites for reporting Vulnerabilities

Before reporting a vulnerability to us, there are several items you need to make sure are in place.

  • Security aspects of the product are hardened

Make sure guidelines provided under [Security Guidelines for Production Deployment#WSO2product-levelsecurity] are properly followed. Those guidelines might mitigate the security concern you are experiencing.

  • Security patches are installed 

This is mentioned in the above guidelines as well, but need to emphasis the importance. The vulnerabilities that you find in a distribution downloaded from our site might have been already fixed by us. Security patches issued by us could be found at [].

Before running an automated security scan, or performing a penetration test, please make sure these prerequisites are done.

Responsible Disclosure of Vulnerabilities

Based on the ethics of responsible disclosure, we recommend only the following ways to report security vulnerabilities to us.

  • If you are a security researcher or a community user, then you must only use the [email protected] mailing list.
  • If you are a customer of WSO2, then in addition to using the above mailing list, you can open a ticket in the Support Portal as well.

[email protected] is a highly confidential internal mailing list visible only to a selected group within WSO2. This includes Platform Security Team members and Security Champions of product teams, and people holding leadership roles within WSO2. All the vulnerability reports are treated with the highest priority and confidentiality. If you wish to send secure messages to [email protected], you may use the following key:

[email protected]: F0AB 72EC D77A 6162 4C48 A245 0CF3 FD36 E100 FF07

Apart from the channels mentioned above, please do not use any other medium to report security vulnerabilities of WSO2. This includes, but not limited to, public forums, blogs and other websites, social media, public and private chat groups. Also, kindly restrain from mentioning the vulnerability to other individuals as well. The vulnerability could be publicized only after we complete our Security Vulnerability Management Process. We will work closely with the reporter, and will keep him/her updated with our progress.

What Constitutes a Proper Vulnerability Report

Please use the following template in reporting vulnerabilities in order to make it useful and to help us to provide a quick mitigation.

  • Vulnerable WSO2 products(s) and version(s)
  • High-level overview of the issue
  • Steps to reproduce
  • Self-assessed severity and impact
  • Any proposed solution

  • No labels