Vulnerability Reporting Guidelines

We are truly grateful to our customers, security researchers, and community users for responsibly reporting security vulnerabilities to us. Your efforts help us make our products, services, and open source projects more secure, and thereby help protect the entire WSO2 user community.

When reporting security vulnerabilities, you need to adhere to a few guidelines. This document highlights the points that need to be considered before reporting a vulnerability, the process of disclosing a vulnerability, and the content that needs to be included in a vulnerability report.

Some vulnerabilities that you come across in the products that were downloaded from wso2.com might have already been fixed. For more information on the security advisories issued publicly by WSO2, see Security Advisories.

Prerequisites for Reporting Vulnerabilities

Note

For WSO2 products, go through the prerequisites before you run an automated security scan or perform a penetration test against them.

  • Security aspects of the product are hardened
  • Make sure to follow the guidelines provided under Security Guidelines for Production Deployment. These guidelines might mitigate the security concerns you are experiencing.
  • If you are a WSO2 subscription holder, ensure that you have installed all the Security updates.
  • If you are a security researcher, we encourage you to download the latest product version available before testing.
  • If you are a security researcher who is focusing on rewards and acknowledgements, refer to our Reward and Acknowledgement Program.

Responsible Disclosure of Vulnerabilities

Based on the ethics of responsible disclosure, it is recommended to follow the process given below to report security vulnerabilities.

  • If you are an independent security researcher or a community user, you must only use the mailing lists mentioned in the Report Security Issues page.
  • If you are a customer of WSO2, you can either use the mailing lists mentioned in the table or open a ticket in the Support Portal.

Note

Do not use any other medium to report the security vulnerabilities of WSO2 apart from the above-mentioned channels. This includes, but is not limited to, repositories like GitHub, public forums, blogs and other websites, social media, and public/private chat groups.

Further, kindly refrain from sharing the vulnerability details you come across with other individuals. The vulnerability can only be publicized after we complete the mitigation actions. We will work closely with the reporter and will keep them updated on our progress.

What Constitutes a Proper Vulnerability Report

Use the following template when reporting vulnerabilities so that it contains all the required information and helps expedite the analysis and mitigation process.

  • Name of the vulnerable WSO2 product, project, or service and its version (if applicable)
  • A high-level overview of the issue
  • Steps to reproduce. Send us a screencast (if applicable)
  • Self-assessed severity and impact
  • Any proposed solutions

Vulnerability Handling Process

Given below is an overview of the vulnerability handling process:

  • The user reports the vulnerability privately to a security mailing list or through the Support Portal. The initial response time is less than 24 hours.
  • The relevant team at WSO2 fixes the vulnerability and the Quality Assurance process verifies the solution.
  • The fix is distributed as follows:
    • If the issue is with a product, distribute the patches to the subscription customers first. Then disclose it publicly after 4 weeks.
    • If the issue is with a service, apply the fix to the deployment.
    • If the issue is with an open-source project, apply the fix to the master branch, and release a new version of the distribution if required.
  • The reporter is kept updated on the progress of the process.