From fc7bbd1a3a8c072c3f165e2e1c3a3837fa740f8e Mon Sep 17 00:00:00 2001 From: tarini0782 Date: Fri, 9 Jan 2026 12:22:55 +0530 Subject: [PATCH 1/5] Improve clarity in Security Policy paragraph Updated SECURITY.md to improve readability while keeping the original meaning. --- SECURITY.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 340e7deba0..35407446ec 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,14 +2,11 @@ ## Reporting Vulnerabilities -> **Warning** : Please do not create GitHub issues for security vulnerabilities. +> **Warning:** Do **not** create GitHub issues for security vulnerabilities. -WSO2 takes security issues very seriously. If you have any concerns regarding -our product security or have uncovered a security vulnerability, we strongly -encourage you to report that to our private and highly confidential security -mailing list: security@wso2.com first, without disclosing them in any forums, -sites, or other groups - public or private. To protect the end-user security, -these issues could be disclosed in other places only after WSO2 completes its -[Vulnerability Management Process](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process). +WSO2 takes security very seriously. If you discover a security vulnerability, please report it **privately** to [security@wso2.com](mailto:security@wso2.com) before sharing it publicly. Do **not** disclose it in forums, websites, or other groups, whether public or private. -[WSO2 guidelines for reporting a security vulnerability](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Reporting+Guidelines) page describes how to report a Security Vulnerability and includes a public key if you wish to send secure messages to security@wso2.com +To protect end-user security, vulnerabilities should only be made public **after WSO2 completes its [Vulnerability Management Process](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process)**. + +For detailed instructions on reporting security vulnerabilities, see the [WSO2 Security Vulnerability Reporting Guidelines](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Reporting+Guidelines). +A public key is provided on that page if you wish to send secure messages to `security@wso2.com`. From 2c97f8ff300db39377bbcd8e56eac793e222998b Mon Sep 17 00:00:00 2001 From: tarini0782 Date: Fri, 9 Jan 2026 13:09:03 +0530 Subject: [PATCH 2/5] Fix SECURITY.md: update reporting links and bold formatting - Replaced broken external documentation links with publicly accessible URLs - Corrected bold formatting for "after WSO2 completes its" phrase - Retained email reference to security@wso2.com and mention of public key - Ensured the paragraph is clear and easy to read for reporting vulnerabilities --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 35407446ec..c3397b6b5c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,9 +4,9 @@ > **Warning:** Do **not** create GitHub issues for security vulnerabilities. -WSO2 takes security very seriously. If you discover a security vulnerability, please report it **privately** to [security@wso2.com](mailto:security@wso2.com) before sharing it publicly. Do **not** disclose it in forums, websites, or other groups, whether public or private. +WSO2 takes security very seriously. If you discover a security vulnerability, please report it **privately** to [security@wso2.com](mailto:security@wso2.com) before sharing it publicly. Do **not** disclose it in forums, websites, or other groups, whether public or private. -To protect end-user security, vulnerabilities should only be made public **after WSO2 completes its [Vulnerability Management Process](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process)**. +To protect end-user security, vulnerabilities should only be made public **after WSO2 completes its** [Vulnerability Management Process](https://security.docs.wso2.com/en/latest/security-processes/). -For detailed instructions on reporting security vulnerabilities, see the [WSO2 Security Vulnerability Reporting Guidelines](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Reporting+Guidelines). +For detailed instructions on reporting security vulnerabilities, see the [WSO2 Security Vulnerability Reporting Guidelines](https://security.docs.wso2.com/en/latest/security-reporting/report-security-issues/). A public key is provided on that page if you wish to send secure messages to `security@wso2.com`. From 5f030f0c7545930ad7a29967cce2cac5c351ca00 Mon Sep 17 00:00:00 2001 From: tarini0782 Date: Fri, 9 Jan 2026 13:21:21 +0530 Subject: [PATCH 3/5] Fix broken links in Security Policy Updated SECURITY.md to replace inaccessible external links for the Vulnerability Management Process and Security Vulnerability Reporting Guidelines with publicly accessible URLs. - Preserved the mailto link to security@wso2.com - Kept bolding for "after WSO2 completes its" as per preview - Ensured formatting and grammar remain correct - Users can now access guidance without encountering 403 errors This resolves the issue raised by the review bot regarding inaccessible documentation links. --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index c3397b6b5c..869f0c0a2d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,7 +6,7 @@ WSO2 takes security very seriously. If you discover a security vulnerability, please report it **privately** to [security@wso2.com](mailto:security@wso2.com) before sharing it publicly. Do **not** disclose it in forums, websites, or other groups, whether public or private. -To protect end-user security, vulnerabilities should only be made public **after WSO2 completes its** [Vulnerability Management Process](https://security.docs.wso2.com/en/latest/security-processes/). +To protect end-user security, vulnerabilities should only be made public **after WSO2 completes its** [Vulnerability Management Process](https://security.docs.wso2.com/en/latest/security-processes/vulnerability-management-process/). For detailed instructions on reporting security vulnerabilities, see the [WSO2 Security Vulnerability Reporting Guidelines](https://security.docs.wso2.com/en/latest/security-reporting/report-security-issues/). A public key is provided on that page if you wish to send secure messages to `security@wso2.com`. From 03c427a3fbabf1c028119e07c13253c596e92aeb Mon Sep 17 00:00:00 2001 From: tarini0782 Date: Fri, 9 Jan 2026 13:30:59 +0530 Subject: [PATCH 4/5] Fix SECURITY.md links and improve vulnerability reporting instructions Updated the SECURITY.md file to address inaccessible links and clarify vulnerability reporting instructions: -Replaced or removed the broken external URLs for Vulnerability Management Process and Security Vulnerability Reporting Guidelines. - Ensured private reporting instructions to security@wso2.com remain clear. - Added a note about the PGP public key for secure reporting. - Improved readability and formatting of the Reporting Vulnerabilities section. These changes ensure that security researchers and users can follow the reporting process without encountering inaccessible links. --- SECURITY.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 869f0c0a2d..3cd5d172bf 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,7 +6,20 @@ WSO2 takes security very seriously. If you discover a security vulnerability, please report it **privately** to [security@wso2.com](mailto:security@wso2.com) before sharing it publicly. Do **not** disclose it in forums, websites, or other groups, whether public or private. -To protect end-user security, vulnerabilities should only be made public **after WSO2 completes its** [Vulnerability Management Process](https://security.docs.wso2.com/en/latest/security-processes/vulnerability-management-process/). +To protect end‑user security, vulnerabilities should only be made public **after WSO2 completes its internal vulnerability handling process**. -For detailed instructions on reporting security vulnerabilities, see the [WSO2 Security Vulnerability Reporting Guidelines](https://security.docs.wso2.com/en/latest/security-reporting/report-security-issues/). -A public key is provided on that page if you wish to send secure messages to `security@wso2.com`. +### How to Report a Security Vulnerability + +1. **Report privately first:** Send a detailed report to `security@wso2.com`. +2. **Include key information:** + - Affected WSO2 product name and version. + - A high‑level description of the issue. + - Steps to reproduce the vulnerability (screenshots or steps if applicable). + - Your own severity assessment and impact. +3. **Confidential communication:** If you wish to send secure messages, use the public key associated with the security mailing list. +4. **WSO2 response process:** + - WSO2 acknowledges the report and investigates. + - If the report is valid, patches are created and tested internally. + - After mitigation and agreed timelines, a public announcement may be made. + +This embedded guidance ensures users have clear instructions on reporting vulnerabilities without relying on external links that may not be accessible. From ac4e3db0c7952ff6488d476fa8c55a6361cf01b8 Mon Sep 17 00:00:00 2001 From: tarini0782 Date: Fri, 9 Jan 2026 13:40:09 +0530 Subject: [PATCH 5/5] Update SECURITY.md with PGP public key clarification - Added clarification for step 3 under "How to Report a Security Vulnerability" to specify that the PGP public key for security@wso2.com is available via the WSO2 Security portal. - Ensures reporters have a clear, accessible method for secure communication. - Removed reliance on inaccessible external links; all guidance is now self-contained. - Preserves original instructions for private reporting, required information, and WSO2's response process. --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 3cd5d172bf..035adf17e8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,7 +16,7 @@ To protect end‑user security, vulnerabilities should only be made public **aft - A high‑level description of the issue. - Steps to reproduce the vulnerability (screenshots or steps if applicable). - Your own severity assessment and impact. -3. **Confidential communication:** If you wish to send secure messages, use the public key associated with the security mailing list. +3. **Confidential communication:** If you wish to send secure messages, use the PGP public key for `security@wso2.com` (available via the [WSO2 Security portal](https://security.docs.wso2.com/)). 4. **WSO2 response process:** - WSO2 acknowledges the report and investigates. - If the report is valid, patches are created and tested internally.