Reporting a Security Vulnerability

The WSO2 security team welcomes contributions from our user community, developers, and security researchers to reinforce our product security. The security team will be more than happy to assist you in such efforts.

We strongly encourage you to report security vulnerabilities to our private security mailing list: security@wso2.com - first, before disclosing them in any public forums.

This is a private mailing list where only members of the WSO2 internal security team are subscribed to, and is treated as top priority.

If you wish to send secure messages to security@wso2.com, you may use the following key:

security@wso2.com: F0AB 72EC D77A 6162 4C48 A245 0CF3 FD36 E100 FF07 pgp.mit.edu

Vulnerability Information

Please use the following template in reporting vulnerabilities:

  • Vulnerable WSO2 products(s) and version(s)
  • Overview: High-level overview of the issue and
    self-assessed severity
  • Description: Include the steps to reproduce
  • Impact: Self-assessed impact
  • Solution: Any proposed solution

Vulnerability Handling

An overview of the vulnerability handling process:

  • The user reports the vulnerability privately to security@wso2.com
  • The WSO2 security team works privately with the user to resolve the vulnerability. The initial response time will be less than one hour
  • Fix the vulnerability and provide a patch for internal QA testing
  • QA verifies the patch and approves the release
  • All WSO2 customers are notified and expected to apply the patch before public disclosure
  • Announce the vulnerability and share the patch publicly