Report Security Issues

This section explains how to report security issues in WSO2 products and get rewarded for your contributions.

We welcome all contributions from our user community, developers, customers, and security researchers to reinforce the security of our products and services. We strongly encourage you to report security issues to our private and highly confidential security mailing lists mentioned below before disclosing them in any forums, sites, or other groups - public or private.

For more information, see Vulnerability Reporting Guidelines.


If you wish to send secure messages to our security mailing lists, use the GPG keys mentioned below.

Scope Email Address GPG Key
Security issues relevant to Choreo [email protected] E244 7A59 F1E0 9369 5CBA 3195 FF67 8AD2 84F9 6B9A
Security issues relevant to Asgardeo [email protected] 7EFB 2075 2A3D 65D0 0C15 33F1 79FD 52B8 1D17 AE48
Security issues relevant to Open Healthcare [email protected] 987D 5905 4458 6364 B901 B13D 0AB1 AB05 A68A 1BBF
Security issues relevant to Ballerina [email protected] 0168 DA26 2989 0DB9 4ACD 8367 E683 061E 2F85 C381
Any other security issues relevant to WSO2 [email protected] CB9B 0914 3E92 AE33 DFEA 5026 E251 CB08 CB61 38F2


The above Security mailing lists are highly confidential internal mailing lists and are only visible to a selected group within WSO2. This includes the Security and Compliance Team members, Security Champions of product, service, and open source project teams, and people who hold leadership roles within WSO2.

All the vulnerability reports are treated with the highest priority and confidentiality.