Skip to content

Improve clarity in Security Policy paragraph #4628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tarini0782 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Improve clarity in Security Policy paragraph #4628

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fc7bbd1
Improve clarity in Security Policy paragraph
tarini0782 Jan 9, 2026
2c97f8f
Fix SECURITY.md: update reporting links and bold formatting
tarini0782 Jan 9, 2026
5f030f0
Fix broken links in Security Policy
tarini0782 Jan 9, 2026
03c427a
Fix SECURITY.md links and improve vulnerability reporting instructions
tarini0782 Jan 9, 2026
ac4e3db
Update SECURITY.md with PGP public key clarification
tarini0782 Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 19 additions & 9 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,24 @@

## Reporting Vulnerabilities

> **Warning** : Please do not create GitHub issues for security vulnerabilities.
> **Warning:** Do **not** create GitHub issues for security vulnerabilities.

WSO2 takes security issues very seriously. If you have any concerns regarding
our product security or have uncovered a security vulnerability, we strongly
encourage you to report that to our private and highly confidential security
mailing list: security@wso2.com first, without disclosing them in any forums,
sites, or other groups - public or private. To protect the end-user security,
these issues could be disclosed in other places only after WSO2 completes its
[Vulnerability Management Process](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process).
WSO2 takes security very seriously. If you discover a security vulnerability, please report it **privately** to [security@wso2.com](mailto:security@wso2.com) before sharing it publicly. Do **not** disclose it in forums, websites, or other groups, whether public or private.

[WSO2 guidelines for reporting a security vulnerability](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Reporting+Guidelines) page describes how to report a Security Vulnerability and includes a public key if you wish to send secure messages to security@wso2.com
To protect end‑user security, vulnerabilities should only be made public **after WSO2 completes its internal vulnerability handling process**.

### How to Report a Security Vulnerability

1. **Report privately first:** Send a detailed report to `security@wso2.com`.
2. **Include key information:**
- Affected WSO2 product name and version.
- A high‑level description of the issue.
- Steps to reproduce the vulnerability (screenshots or steps if applicable).
- Your own severity assessment and impact.
3. **Confidential communication:** If you wish to send secure messages, use the PGP public key for `security@wso2.com` (available via the [WSO2 Security portal](https://security.docs.wso2.com/)).
4. **WSO2 response process:**
- WSO2 acknowledges the report and investigates.
- If the report is valid, patches are created and tested internally.
- After mitigation and agreed timelines, a public announcement may be made.

This embedded guidance ensures users have clear instructions on reporting vulnerabilities without relying on external links that may not be accessible.