Reward and Acknowledgement Program¶
We have been recognizing the efforts of the security research community for helping us make WSO2 products safer. To honor all such external contributions, we maintain a reward and acknowledgement program for WSO2-owned software products. This document describes the various aspects of this program:
- Products & Services in Scope
- Qualifying Vulnerabilities
- Non-qualifying Vulnerabilities
- Rewards and Acknowledgement
- Exceptions & Rules
- Investigating and Reporting Bugs
Products & Services in Scope¶
At this time, the scope of this program is limited to security vulnerabilities found on Choreo, Asgardeo and the software products developed by WSO2.
This includes the following:
Out of the above-listed products, only the latest released version of each product is included in the scope of this program. In addition to that, the release date of the product version should be within 3 years from the date of the report.
Other than Choreo, Asgardeo and any other live deployment of a WSO2 product, a website (such as wso2.com) or any other hosting owned by WSO2, would not be included in the scope of this program.
Any security issue that has a moderate or higher security impact on the confidentiality, integrity, or availability of Choreo, Asgardeo, or a WSO2 product would be included in the scope of the program.
Following are a few common issues that we typically consider for rewarding.
- SQL or LDAP Injection
- Cross-site Scripting (XSS)
- Broken authentication and authorization
- Broken session management
- Remote code execution
- OS command execution
- XML External Entity (XXE) or XML Entity Expansion
- Path traversal
- Insecure Direct Object References
- Confidential information leakages (such as credentials, PII)
Kindly note that the impact calculation is solely at the discretion of WSO2.
We review reported security issues case-by-case. Generally, we do not consider the following common issues for rewarding.
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) vulnerabilities
- Logout Cross-site Request Forgery (CSRF)
- Missing CSRF token in login forms
- Cross domain referer leakage
- Missing HttpOnly flags
- SSL/TLS related issues
- Missing HTTP security headers
- Account enumeration
- Brute-force Attacks
- Non-critical Information Leakages (such as server information, stack trace)
However, based on the security impact, we would still consider rewarding the issues from the above categories.
Rewards and Acknowledgement¶
To show our appreciation, we provide a reward and an acknowledgement to eligible reporters after the reported issues are fixed and announced to the WSO2 customers and the community users.
See our Vulnerability Management Process for more details about how we disclose security vulnerabilities.
Based on the consent of the reporter, we will do the following:
- Include the reporter's name on the Security Hall of Fame web page.
- Email a certificate of appreciation to the reporter.
- Provide one of the following preferred by the reporter:
- Amazon gift voucher worth 50 USD (from: Amazon.com / Amazon.ca / Amazon.cn / Amazon.fr / Amazon.de / Amazon.in / Amazon.it / Amazon.co.jp / Amazon.co.uk / Amazon.es / Amazon.com.au)
- PayPal transfer worth 50 USD.
Exceptions & Rules¶
The following exceptions and rules apply in this program:
- You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue.
- WSO2 has 7 days to provide the first response to the report. It could take up to 90 days to implement a fix based on the severity of the report, and further time might be needed to announce the fix to our customers and community users of all the affected product versions. WSO2 will keep the reporter up to date with the progress of the process.
- Posting details or conversations about the report that violates responsible disclosure, or posting details that reflect negatively on the program and the WSO2 brand, will disqualify you from consideration for rewards and credits.
- All security testing must be carried out in a standalone WSO2 product running locally or a hosted deployment owned by the reporter.
- All communications must be conducted through security mailing lists only.
- Offering a reward or giving credits has to be entirely at WSO2’s discretion.
Investigating and Reporting Bugs¶
If you have found a vulnerability, please contact us via channels mentioned in WSO2 Security Vulnerability Reporting Guidelines.
A good bug report should include the following information at a minimum:
- Vulnerable WSO2 product(s) and their version(s)
- List of URL(s) and affected parameter(s)
- Describe the browser, OS, and/or app version
- Describe the self-assessed impact
- Describe the steps to exploit the vulnerability
- Any proposed solution
We thank you for helping us keep WSO2 products and services safe!